[Pgi-wg] OGF PGI - Security Strawman

Duane Merrill dgm4d at virginia.edu
Fri Mar 27 10:42:41 CDT 2009 

Yes. For example, an idealized TLS-Proxy-service-plumbing can equally
accommodate a TLS-EEC-client-plumbing as well as a TLS-Proxy-client
plumbing. (Those two client plumbings are very different, but work
equally well with the single service plumbing.)

Duane



On 3/27/09, Morris Riedel <m.riedel at fz-juelich.de> wrote:
> Service/Client plumbings?
>
>
>
> I rather refer to:
>
>
>
> 3 suggested Authentication Plumbings
>
> 2 suggested Authorization Plumbings
>
>
>
> Take care,
> Morris
>
>
>
> ------------------------------------------------------------
>
> Morris Riedel
>
> SW - Engineer
>
> Distributed Systems and Grid Computing Division
>
> Jülich Supercomputing Centre (JSC)
>
> Forschungszentrum Juelich
>
> Wilhelm-Johnen-Str. 1
>
> D - 52425 Juelich
>
> Germany
>
>
>
> Email: m.riedel at fz-juelich.de
>
> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
>
> Phone: +49 2461 61 - 3651
>
> Fax: +49 2461 61 - 6656
>
>
>
> Skype: MorrisRiedel
>
>
>
> "We work to better ourselves, and the rest of humanity"
>
>
>
> Sitz der Gesellschaft: Jülich
>
> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
>
> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
>
> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
>
> Dr. Ulrich Krafft (stellv. Vorsitzender)
>
>
>
> From: Duane Merrill [mailto:dgm4d at virginia.edu]
> Sent: Friday, March 27, 2009 3:50 PM
> To: Morris Riedel
> Cc: Aleksandr Konstantinov; pgi-wg at ogf.org
> Subject: Re: [Pgi-wg] OGF PGI - Security Strawman
>
>
>
> Since we are talking about dynamically advertising the requirements of
> services (and not clients) within hypothetical information services, we
> should talk explicily about "service plumbing" and not "client plumbing".
> For example:
>
> *	Service endpoint requires xyz (e.g., delegation-step, WS-Addressing
> reference parameters, TLS mutual authentication, etc.)
> *	Service endpoint can accept xyz (e.g., TLS proxy-path-validation,
> SOAP WS-S proxy-path-validation, PGI VOMS-ACs, PGI SAML ACs, TLS
> client-anonymous authentication, etc)
>
> It is implicit that we will be putting in effort to implement clients that
> fit within the realm of options provided by the services that those clients
> intend to use.  (And it is has become clear from several from these email
> threads which services those are.)
>
>
>
> Thus "grid islands" become "grid DAGs".
>
>
>
> -Duane
>
>
>
>
>
>
>
> 2009/3/27 Morris Riedel <m.riedel at fz-juelich.de>
>
>
>
> Hi,
>
>
>
>>- Currently all sentence are read on this mailing lists looked like
>
> requiring only listed options to be used for authorization. And this is
>
> wrong from my point of view.
>
>
>
>
>
> I refer to two different plumbings nothing more. This already narrows down
>
> the thousand other possibilities...
>
>
>
> Take care,
>
> Morris
>
>
>
>
>
> ------------------------------------------------------------
>
> Morris Riedel
>
> SW - Engineer
>
> Distributed Systems and Grid Computing Division
>
> Jülich Supercomputing Centre (JSC)
>
> Forschungszentrum Juelich
>
> Wilhelm-Johnen-Str. 1
>
> D - 52425 Juelich
>
> Germany
>
>
>
> Email: m.riedel at fz-juelich.de
>
> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
>
> Phone: +49 2461 61 - 3651
>
> Fax: +49 2461 61 - 6656
>
>
>
> Skype: MorrisRiedel
>
>
>
> "We work to better ourselves, and the rest of humanity"
>
>
>
> Sitz der Gesellschaft: Jülich
>
> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
>
> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
>
> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
>
> Dr. Ulrich Krafft (stellv. Vorsitzender)
>
>
>
>
>
>>------Original Message-----
>
>>-From: Aleksandr Konstantinov [mailto:aleksandr.konstantinov at fys.uio.no]
>
>
>
>>-Sent: Friday, March 27, 2009 2:40 PM
>
>>-To: Morris Riedel
>
>>-Cc: pgi-wg at ogf.org
>
>>-Subject: Re: [Pgi-wg] OGF PGI - Security Strawman
>
>>-
>
>
>
>>-On Friday 27 March 2009 14:39, Morris Riedel wrote:
>
>>-> But Aleksandr - I think we all agree to the VOMS scenario  - come on
>
> that’s
>
>>-> something where we can't go currently... :-)
>
>>-
>
>>-As I already said I'm not suggesting to profile other information whihc
>
> can be used
>
>>-for authorization.
>
>>-I said that such information should not be disallowed. Just write profile
>
> in such way
>
>>-that other options
>
>>-are up to deployment. Currently all sentence are read on this mailing
>
> lists looked like
>
>>-requiring only
>
>>-listed options to be used for authorization. And this is wrong from my
>
> point of view.
>
>>-
>
>>-
>
>>-A.K.
>
>>-
>
>>-
>
>>-
>
>>->
>
>>-> ------------------------------------------------------------
>
>>-> Morris Riedel
>
>>-> SW - Engineer
>
>>-> Distributed Systems and Grid Computing Division
>
>>-> Jülich Supercomputing Centre (JSC)
>
>>-> Forschungszentrum Juelich
>
>>-> Wilhelm-Johnen-Str. 1
>
>>-> D - 52425 Juelich
>
>>-> Germany
>
>>->
>
>>-> Email: m.riedel at fz-juelich.de
>
>>-> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
>
>>-> Phone: +49 2461 61 - 3651
>
>>-> Fax: +49 2461 61 - 6656
>
>>->
>
>>-> Skype: MorrisRiedel
>
>>->
>
>>-> "We work to better ourselves, and the rest of humanity"
>
>>->
>
>>-> Sitz der Gesellschaft: Jülich
>
>>-> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
>
>>-> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
>
>>-> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
>
>>-> Dr. Ulrich Krafft (stellv. Vorsitzender)
>
>>->
>
>>->
>
>>-> >------Original Message-----
>
>>-> >-From: Aleksandr Konstantinov
>
> [mailto:aleksandr.konstantinov at fys.uio.no]
>
>>-> >-Sent: Friday, March 27, 2009 1:29 PM
>
>>-> >-To: Morris Riedel
>
>>-> >-Subject: Re: [Pgi-wg] OGF PGI - Security Strawman
>
>>-> >-
>
>>-> >-On Friday 27 March 2009 12:24, you wrote:
>
>>-> >-> Aleksandr,
>
>>-> >->
>
>>-> >->   could you give me one example for this:
>
>>-> >->
>
>>-> >-> >- I do support idea of attribute based authorization. But can't
>
>>-> understand
>
>>-> >-> why other information authenticating the client should be disallowed
>
>>-> from
>
>>-> >-> making authorization decision.
>
>>-> >->
>
>>-> >->
>
>>-> >-> I seek to understand what you mean.
>
>>-> >-
>
>>-> >-
>
>>-> >-Most brutal example would be DN of X.509 certificate.
>
>>-> >-More sophisticated could be distrust of specific computing resource
>
> for
>
>>-> specific
>
>>-> >-VOMS service.
>
>>-> >-
>
>>-> >-A.K.
>
>
>
>>->
>
>
>
> _______________________________________________
>
> Pgi-wg mailing list
>
> Pgi-wg at ogf.org
>
> http://www.ogf.org/mailman/listinfo/pgi-wg
>
>
>
>
>
>
>
>

More information about the Pgi-wg mailing list