[Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ

Aleksandr Konstantinov aleksandr.konstantinov at fys.uio.no
Fri Mar 27 03:26:05 CDT 2009 

On Friday 20 March 2009 16:35, m.riedel at fz-juelich.de wrote:
> Hi,
> 
> >- This is the problem you mentioned which we experienced during the 
> OMII-EU project: BES clients were not executing the delegation 
> operation, so the service did not have any delegated credentials to use. 
> We then implemented a horrible workaround in CREAM which was fine for 
> demonstration purposes, but unfortunately can not be applied for any 
> real use.
> 
> 
> ok, that's interesting - if you don't extract the proxy obviously then from TLS level during AuthN steps - why is there still a proxy support needed on the TLS level then?! 

I would say it is not needed from service point of view. It is just supported. 
But it is needed from another service point of view, which for example submits job to BES on behalf of original user.
If that "on behalf" thing is implemented using proxy delegation, then starting from second service in a chain all services
must accept proxies. 
Of course all services (except last one) also must provide way to accept delegated credentials. But that is probably out 
of topic for this discussion.
Of course there are other ways to implement "on behalf", and SAML is one of them.

> 
> Q: It looks like now all middlewares can be accessed then easily with using full end-entity certificates: UNICORE, GENESIS-II, gLite,.. What about ARC?

Of course. "Full certificate" is just an extreme case of proxy certificate - like table without legs.

A.K.

 
> Thanks for pointing this out Moreno - indeed helpful - I missed that new fact.
> 
> Take care,
> Morris
> 
> 
> 
> 
> --------------------------------------------------------------------------------
> Morris Riedel
> SW - Engineer
> Distributed Systems and Grid Computing Division
> Central Institute of Applied Mathematics
> Research Centre Juelich
> Wilhelm-Johnen-Str. 1
> D - 52425 Juelich
> Germany
> 
> Email:  m.riedel at fz-juelich.de
> Info: http://www.fz-juelich.de/zam/ZAMPeople/riedel
> 
> Phone: +49 2461 61 - 3651
> Fax: +49 2461 61 - 6656
> 
> Skype: MorrisRiedel
> 
> 'We work to improve ourselves and the rest of mankind.'
> 
> ----- Original Message -----
> From: Moreno Marzolla <moreno.marzolla at pd.infn.it>
> Date: Friday, March 20, 2009 3:25 pm
> Subject: Re: [Pgi-wg] Sec: Agreement	on	attribute transportmechanismsforAttrAuthZ
> 
> > m.riedel at fz-juelich.de wrote:
> > > Hi,
> > > 
> > >> -  The gLite CREAM CE can be accessed either with pure TLS (X509
> > > certificate) or using GSI (proxy-based) authentication. I think that
> > > the same holds for other gLite components as well.
> > > 
> > > 
> > > So your service can work w/o proxies? Maybe for the initial 
> > AuthN yes
> > > - but for further use I guess you require a proxy for forwarding to
> > > CREAM or so?!
> > 
> > You can invoke any CREAM operation using either a plain X509 
> > certificate, or a proxy certificate. In either case you can use 
> > the 
> > service without problems. HOWEVER, in order to submit a job you 
> > NEED to 
> > delegate a proxy to CREAM by first invoking the delegation port-
> > type. 
> > Once you have delegated a proxy, you can create/cancel/monitor 
> > your jobs 
> > with plain X509 certificates.
> > 
> > Note that in order to contact the delegation port-type you can use 
> > either an X509 certificate, or a proxy certificate.
> > 
> > So, a client with *only* an X509 certificate can perform any 
> > operation 
> > on CREAM, PROVIDED that FIRST it delegates its credential to CREAM 
> > by 
> > performing a delegation operation. A client with a delegated proxy 
> > can 
> > also execute any operation on CREAM, provided that it further 
> > delegates 
> > its credentials to CREAM.
> > 
> > This is the problem you mentioned which we experienced during the 
> > OMII-EU project: BES clients were not executing the delegation 
> > operation, so the service did not have any delegated credentials 
> > to use. 
> > We then implemented a horrible workaround in CREAM which was fine 
> > for 
> > demonstration purposes, but unfortunately can not be applied for 
> > any 
> > real use.
> > 
> > Moreno
> > 
> > -- 
> > Moreno Marzolla
> > INFN Sezione di Padova,    via Marzolo 8,   35131 PADOVA,  Italy
> > EMail: moreno.marzolla at pd.infn.it         Phone: +39 049 8277103
> > WWW  : http://www.dsi.unive.it/~marzolla  Fax  : +39 049 8756233
> > 
> > 
> 
> 
> 
> -------------------------------------------------------------------
> -------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> 
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
> Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
> Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
> Dr. Sebastian M. Schmidt
> -------------------------------------------------------------------
> -------------------------------------------------------------------
> _______________________________________________
> Pgi-wg mailing list
> Pgi-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/pgi-wg
>

More information about the Pgi-wg mailing list