[Pgi-wg] OGF PGI - GLUE Capability for Security - First proposal of specification
Bernd Schuller
b.schuller at fz-juelich.de
Thu Nov 18 13:45:07 CST 2010
hi Etienne, Oxana,
On Do, 2010-11-18 at 19:32 +0100, Oxana Smirnova wrote:
> I'm no Glue expert, and can't remember whether Glue foresees different access privileges to different bits of information. There's one problem with advertising security setup in information systems:
>
> normally, one can't access an information document without being authorised.
>
> That is, you probably can't obtain security setup information without knowing the security setup. Kind of a bootstrap issue, admittedly.
>
I think that this is not so much of a problem. Let's say you can have
"in-band" info systems that use the same security setup as the target
services. However, you often have out-of-band info systems that use a
different security setup. Usually this will be less strict, say normal
HTTPS or even plain HTTP. You might even get a snipped of GLUE2 sent to
you via email :-)
So Etienne's approach has a lot of merits.
In detail I've a couple of comments on the SSL/TLS capabilities.
There are only three cases here:
a1) normal SSL, i.e. server presents its certificate to the client
a2) client-authenticated SSL, i.e. the client additionally MUST present
a valid certificate
GSI ("SSL with proxy") is not(!) SSL, and should not
be on the same level.
So the SSL/TLS attributes should be just
security.authentication.ssl
security.authentication.ssl.clientauth
if you really want GSI (everybody seems to agree that it is going to be
deprecated ...), you need "security.authentication.gsi" etc
Best regards,
Bernd.
> 18.11.2010 15:45, Etienne URBAH пишет:
> > Morris, Johannes and all,
> >
> > Inside OGF PGI, I am trying to perform pragmatic work and provide proposals.
> >
> > So, inside the attached 'Glue-Capability-For-Security.txt' file, I has written down a first proposal of specifications for extensions of the 'Capability_t' type of GLUE 2.0 taking into account requirements 1, 4, 163, 11 and 17.
> >
> > I hope that this proposal is understandable.
> >
> > Please criticize it, in order to improve it .
> >
> > Best regards.
> >
> > -----------------------------------------------------
> > Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS
> > Bat 200 91898 ORSAY France
> > Tel: +33 1 64 46 84 87 Skype: etienne.urbah
> > Mob: +33 6 22 30 53 27 mailto:urbah at lal.in2p3.fr
> > -----------------------------------------------------
> >
> >
> >
> > _______________________________________________
> > Pgi-wg mailing list
> > Pgi-wg at ogf.org
> > http://www.ogf.org/mailman/listinfo/pgi-wg
--
Dr. Bernd Schuller
Distributed Systems and Grid Computing
Juelich Supercomputing Centre, http://www.fz-juelich.de/jsc
Phone: +49 246161-8736 (fax -8556)
Personal blog: www.jroller.com/page/gridhaus
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
More information about the Pgi-wg
mailing list