[Pgi-wg] TLS : OpenSSL and GSI implementations - gLite 3.2released today

weizhong qiang weizhongqiang at gmail.com
Fri Mar 27 05:01:02 CDT 2009 

2009/3/27 Morris Riedel <m.riedel at fz-juelich.de>

> Ok,
>
>  and that's why we have to support both in our profiles I guess - correct?!


It depends what is the definition of the "both" here.

Weizhong


>
>
>
> Take care,
> Morris
>
> ------------------------------------------------------------
> Morris Riedel
> SW - Engineer
> Distributed Systems and Grid Computing Division
> Jülich Supercomputing Centre (JSC)
> Forschungszentrum Juelich
> Wilhelm-Johnen-Str. 1
> D - 52425 Juelich
> Germany
>
> Email: m.riedel at fz-juelich.de
> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
> Phone: +49 2461 61 - 3651
> Fax: +49 2461 61 - 6656
>
> Skype: MorrisRiedel
>
> "We work to better ourselves, and the rest of humanity"
>
> Sitz der Gesellschaft: Jülich
> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
> Dr. Ulrich Krafft (stellv. Vorsitzender)
>
>
> >------Original Message-----
> >-From: pgi-wg-bounces at ogf.org [mailto:pgi-wg-bounces at ogf.org] On Behalf
> Of
> >-Aleksandr Konstantinov
> >-Sent: Friday, March 27, 2009 10:49 AM
> >-To: pgi-wg at ogf.org
> >-Subject: Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite
> 3.2released
> >-today
> >-
> >-On Monday 23 March 2009 15:04, Etienne URBAH wrote:
> >-> To all,
> >->
> >-> Concerning various implementations of TLS to handle X509 certificates
> >-> and proxies, it seems that :
> >->
> >-> -  DEISA (Unicore) uses the OpenSSL implementation of TLS to process
> >-> X509 certificates,
> >->
> >-> -  EGEE (gLite) and NorduGrid (ARC) use the GSI (Globus Security
> >-> Infrastructure) implementation of TLS to process X509 proxies,
> >-
> >-No, ARC uses OpenSSL for TLS data connections and Globus for
> >-GSI connections (SRM and GridFTP).
> >-
> >-
> >-A.K.
> >-
> >-
> >->
> >-> -  The OpenSSL and GSI implementations of TLS seem to be INCOMPATIBLE
> >-> (see mails below of Weizhong QIANG and Duane MERRIL).
> >->
> >-> This would make any interoperability very difficult.
> >->
> >->
> >-> But the situation is perhaps NOT so desperate :
> >->
> >-> -  EGEE has just released gLite version 3.2 today 23 March 2009.
> >->
> >-> -  In slide 3 of the presentation 'Middleware update' performed at CERN
> >-> GDB on 11 March 2009 and which is available at
> >->
> >-
> http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0&c
> onfId=4<http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0&c%0AonfId=4>
> >-5473
> >->     Andreas UNTERKIRCHER explains that gLite 3.2 uses VDT 1.10, which
> >-> uses 'system OpenSSL'.
> >->
> >->
> >-> ==>  Can Andreas UNTERKIRCHER provide more precisions, and confirm that
> >-> this permits interoperability at the X509 level ?
> >->
> >-> ==>  Can the PGI chairs plan an interoperability test ASAP to check if
> >-> this really work ?
> >->
> >->
> >-> In hope that the above informations and suggestions are useful.
> >->
> >-> Best regards.
> >->
> >-> ----------------------------------
> >-> Etienne URBAH          IN2P3 - LAL
> >-> Bat 200     91898 ORSAY     France
> >-> Tel: +33 1 64 46 84 87
> >-> Mob: +33 6 22 30 53 27
> >-> Skype: etienne.urbah
> >-> mailto:urbah at lal.in2p3.fr
> >-> ----------------------------------
> >->
> >->
> >-> On Mon, 23 Mar 200, Jens Jensen wrote:
> >-> > 2009/3/20 weizhong qiang <weizhongqiang at gmail.com>:
> >-> >> On Fri, Mar 20, 2009 at 3:00 PM, <m.riedel at fz-juelich.de> wrote:
> >-> >> Basically the globus implementation if GSSAPI is about a specific
> >-> >> context-initiation negotiation, and some data-padding for initiation
> and
> >-> >> data-transferring. Also you can accomplish proxy-delegation via it.
> >-> >> What is for sure is that you can not use client based on normal TLS
> to talk
> >-> >> with service which is based on GSSAPI, or vice versa.
> >-> >> AFAIK, There is some grid service (WS compliant) such as some SRM
> service
> >-> >> which uses GSSAPI. (SOAP + HTTP + GSS).
> >-> >
> >-> > Some years since I last looked at it in detail but IIRC GSSAPI
> (RFC2743) is just
> >-> > a mechanism for establishing security contexts - if you get these
> >-> > bytes then send
> >-> > this, etc.  Presumably normal TLS can be implemented via GSSAPI as
> well, see
> >-> > eg section 5.3 of the RFC
> >-> > Someone once told me Globus had to deviate from the standard GSSAPI
> >-> > to implement GSI. If this is true then it's worth documenting, no?
> >-> > Again long time ago I experimented with the Globus module for GSI and
> >-> > the lower level Globus GSSAPI.  At the time they did not interoperate
> :-)
> >-> > Had some discussions with Aleksandr at the time.
> >-> >
> >-> > Regards
> >-> > --jens
> >->
> >->
> >->
> >-> On Fri, 20 Mar 2009, Duane Merrill wrote:
> >-> > In theory, rfc-3820 proxy certs should not have any effect on TLS
> wire
> >-> > protocol. For various reasons, different versions of GSI-OpenSSH
> *have*
> >-> > changed the wire format in different ways. (Shame on them.) Out of
> >-> > curiosity, are there any published/publicly-availabe descriptions of
> >-> > these deltas?
> >-> >
> >-> > Duane
> >->
> >-_______________________________________________
> >-Pgi-wg mailing list
> >-Pgi-wg at ogf.org
> >-http://www.ogf.org/mailman/listinfo/pgi-wg
>
> _______________________________________________
> Pgi-wg mailing list
> Pgi-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/pgi-wg
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/pgi-wg/attachments/20090327/c4498d6e/attachment.html

More information about the Pgi-wg mailing list