[Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ

Fri Mar 27 08:46:00 CDT 2009

On Friday 27 March 2009 15:03, you wrote:
> Yes,
> 
>  
> 
>   that’s what I meant – I guess we just need two because of some legacy
> production systems?!
> 
>  
> 
>  
> 
> When I think about opening a TLS I think the following options exist:
> 
>  
> 
>  
> 
> (A)
> 
> I use a GSI Proxy to establish a GSI-based TLS connection – each hop creates
> a new proxy-pair.

You are falling to delegation. Should it be a different topic?

> 
>  
> 
> (B)
> 
> I use a OpenSSL proxy to establish an OpenSSL-based proxy TLS connection
> (which included C) – each hop creates new proxy-pair

TLS connection by itself can't create *new* proxy. One needs some additional
way to do that.

> 
>  
> 
> (C)
> 
> I use a full end-entity certificate to establish a TLS connection
> 
>  
> 
>  
> 
> Would you agree on this one with me and what do others think, e.g. gLite?
> 
>  
> 
>  
> 
> Thanks,
> 
> Morris
> 
>  
> 
> ------------------------------------------------------------
> 
> Morris Riedel
> 
> SW - Engineer
> 
> Distributed Systems and Grid Computing Division
> 
> Jülich Supercomputing Centre (JSC)
> 
> Forschungszentrum Juelich
> 
> Wilhelm-Johnen-Str. 1
> 
> D - 52425 Juelich
> 
> Germany
> 
>  
> 
> Email: m.riedel at fz-juelich.de
> 
> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
> 
> Phone: +49 2461 61 - 3651
> 
> Fax: +49 2461 61 - 6656
> 
>  
> 
> Skype: MorrisRiedel
> 
>  
> 
> "We work to better ourselves, and the rest of humanity"

No, thanks.

signed,
 Rest of humanity

:)

> 
>  
> 
> Sitz der Gesellschaft: Jülich
> 
> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
> 
> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
> 
> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), 
> 
> Dr. Ulrich Krafft (stellv. Vorsitzender)
> 
>  
> 
> From: weizhong qiang [mailto:weizhongqiang at gmail.com] 
> Sent: Friday, March 27, 2009 1:46 PM
> To: Morris Riedel
> Cc: Aleksandr Konstantinov; pgi-wg at ogf.org
> Subject: Re: [Pgi-wg] Sec: Agreement on
> attributetransportmechanismsforAttrAuthZ
> 
>  
> 
>  
> 
> 2009/3/27 Morris Riedel <m.riedel at fz-juelich.de>
> 
> Hi,
> 
> >- Of course. "Full certificate" is just an extreme case of proxy
> 
> certificate - like table without legs.
> 
> Unfortunately, we heard earlier that this is not generally the case since
> GSI proxy-based TLS changes also the wire or handshaking process while I
> agree with end-entity TLS is a subset (as chain length 0 proxy) of normal
> TLS.
> 
> However, in practical works I have done in scenarios - I learned we have to
> support both. So I see that we have to support both?!
> 
> 
> There are at least two "both" from my understanding here:
> 1, in terms of certificate itself, both full X.509 and proxy certificate;
> and support means the verification of certificate, and only normal TLS wire
> protocol is used.
> Which you agree from your sentence, I think.
> 
> 2, in terms of wire protocol, both TLS and GSI, which practically are
> incompatible.
> I guess your question is about this one.
> I propose we can have two profiles about this, while mentioning GSI (wire
> protocol) profile is only for legacy reason, but is not recommended.
> 
> 
> Weizhong Qiang
>  
> 
>  
> 
> 
> Take care,
> Morris
> 
>  
> 
> 