[Pgi-wg] OGF PGI - Security Model

[Moreno Marzolla]

Duane Merrill wrote:
> Forgive me for pushing my logic to the extreme; I do realize that
> ARC/gLite/Naregi are similar enough that they could be congealed to
> constitute a "grid island" with some degree of effort.
[...]
> The operative phrase being "the amount of effort we are willing to invest".
> Perhaps we should survey *that*.

This "all-or-nothing" attitude was precisely what I was trying to avoid 
when I (and others like me) initially thought about having a small set 
of different security profiles. There are simply things which we (and 
others) can't change overnight, as we work on middlewares whose 
development is constrained in different ways. There's not much that we 
can do to change these constraints in the sort term. Sure, we could 
develope a new (e.g.) CREAM-BES service which is completely unrelated 
with the legacy CREAM, so that we can get rid of every legacy component 
and implement whatever security mechanism we agree on. Whether we have 
the resources to do that is a question I'm not entitled to answer, but 
my guess is that we don't (again, things may change in the future).
So, achieving full interoperability between ARC/glite/naregi would be a 
success for me. Knowing that, by only getting rid of VOMS proxies and 
using SAML assertions we could get full interoperability with UNICORE 
and other similar middlewares is equally a success. Having to build 
adapters to translate (if possible) credentials in different formats is 
a compromise which is more reasonable than having to wait for all the 
middlewares of the world to move towards a common security 
infrastructure. Maybe this will happen, but I don't know whether I will 
stil be around by then.

Moreno.

-- 
Moreno Marzolla
INFN Sezione di Padova,    via Marzolo 8,   35131 PADOVA,  Italy
EMail: moreno.marzolla at pd.infn.it         Phone: +39 049 8277103
WWW  : http://www.dsi.unive.it/~marzolla  Fax  : +39 049 8756233