[Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ

Morris Riedel m.riedel at fz-juelich.de
Fri Mar 27 08:51:50 CDT 2009 

Ok,

 now I also don't understand it anymore.

>- You are falling to delegation. Should it be a different topic?

No - in order to create a GSI connection:

(1) First, generate a GSI proxy
(2) Use this GSI proxy to establish the GSI connection?!

Is that wrong?

Take care,
Morris

------------------------------------------------------------
Morris Riedel
SW - Engineer
Distributed Systems and Grid Computing Division
Jülich Supercomputing Centre (JSC)
Forschungszentrum Juelich
Wilhelm-Johnen-Str. 1
D - 52425 Juelich
Germany

Email: m.riedel at fz-juelich.de
Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
Phone: +49 2461 61 - 3651
Fax: +49 2461 61 - 6656

Skype: MorrisRiedel

"We work to better ourselves, and the rest of humanity"

Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), 
Dr. Ulrich Krafft (stellv. Vorsitzender)


>------Original Message-----
>-From: Aleksandr Konstantinov [mailto:aleksandr.konstantinov at fys.uio.no]
>-Sent: Friday, March 27, 2009 2:46 PM
>-To: Morris Riedel; pgi-wg at ogf.org
>-Subject: Re: [Pgi-wg] Sec: Agreement on
attributetransportmechanismsforAttrAuthZ
>-
>-On Friday 27 March 2009 15:03, you wrote:
>-> Yes,
>->
>->
>->
>->   that’s what I meant – I guess we just need two because of some legacy
>-> production systems?!
>->
>->
>->
>->
>->
>-> When I think about opening a TLS I think the following options exist:
>->
>->
>->
>->
>->
>-> (A)
>->
>-> I use a GSI Proxy to establish a GSI-based TLS connection – each hop
creates
>-> a new proxy-pair.
>-
>-You are falling to delegation. Should it be a different topic?
>-
>->
>->
>->
>-> (B)
>->
>-> I use a OpenSSL proxy to establish an OpenSSL-based proxy TLS connection
>-> (which included C) – each hop creates new proxy-pair
>-
>-TLS connection by itself can't create *new* proxy. One needs some
additional
>-way to do that.
>-
>->
>->
>->
>-> (C)
>->
>-> I use a full end-entity certificate to establish a TLS connection
>->
>->
>->
>->
>->
>-> Would you agree on this one with me and what do others think, e.g.
gLite?
>->
>->
>->
>->
>->
>-> Thanks,
>->
>-> Morris
>->
>->
>->
>-> ------------------------------------------------------------
>->
>-> Morris Riedel
>->
>-> SW - Engineer
>->
>-> Distributed Systems and Grid Computing Division
>->
>-> Jülich Supercomputing Centre (JSC)
>->
>-> Forschungszentrum Juelich
>->
>-> Wilhelm-Johnen-Str. 1
>->
>-> D - 52425 Juelich
>->
>-> Germany
>->
>->
>->
>-> Email: m.riedel at fz-juelich.de
>->
>-> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
>->
>-> Phone: +49 2461 61 - 3651
>->
>-> Fax: +49 2461 61 - 6656
>->
>->
>->
>-> Skype: MorrisRiedel
>->
>->
>->
>-> "We work to better ourselves, and the rest of humanity"
>-
>-No, thanks.
>-
>-signed,
>- Rest of humanity
>-
>-
>-:)
>-
>->
>->
>->
>-> Sitz der Gesellschaft: Jülich
>->
>-> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
>->
>-> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
>->
>-> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
>->
>-> Dr. Ulrich Krafft (stellv. Vorsitzender)
>->
>->
>->
>-> From: weizhong qiang [mailto:weizhongqiang at gmail.com]
>-> Sent: Friday, March 27, 2009 1:46 PM
>-> To: Morris Riedel
>-> Cc: Aleksandr Konstantinov; pgi-wg at ogf.org
>-> Subject: Re: [Pgi-wg] Sec: Agreement on
>-> attributetransportmechanismsforAttrAuthZ
>->
>->
>->
>->
>->
>-> 2009/3/27 Morris Riedel <m.riedel at fz-juelich.de>
>->
>-> Hi,
>->
>-> >- Of course. "Full certificate" is just an extreme case of proxy
>->
>-> certificate - like table without legs.
>->
>-> Unfortunately, we heard earlier that this is not generally the case
since
>-> GSI proxy-based TLS changes also the wire or handshaking process while I
>-> agree with end-entity TLS is a subset (as chain length 0 proxy) of
normal
>-> TLS.
>->
>-> However, in practical works I have done in scenarios - I learned we have
to
>-> support both. So I see that we have to support both?!
>->
>->
>-> There are at least two "both" from my understanding here:
>-> 1, in terms of certificate itself, both full X.509 and proxy
certificate;
>-> and support means the verification of certificate, and only normal TLS
wire
>-> protocol is used.
>-> Which you agree from your sentence, I think.
>->
>-> 2, in terms of wire protocol, both TLS and GSI, which practically are
>-> incompatible.
>-> I guess your question is about this one.
>-> I propose we can have two profiles about this, while mentioning GSI
(wire
>-> protocol) profile is only for legacy reason, but is not recommended.
>->
>->
>-> Weizhong Qiang
>->
>->
>->
>->
>->
>-> Take care,
>-> Morris
>->
>->
>->
>->
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3550 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/pgi-wg/attachments/20090327/197f0bca/attachment.bin

More information about the Pgi-wg mailing list