[Risge-rg] Use case

[Marcus Hardt]

Hi,

thanks for the answers. I've asked our CA, she said, that it's likely possible 
to use a host-cert for this, if the Hostcert is a VO member. This would 
essentially contradict some security philosophy, because the hostcert has no 
passphrase, but this is for the VO manager to decide.

M.

Quoting Ioannis Liabotis
> Hi,
>
> some comments from me regarding the last question:
> (without me being a security expert as well)
>
> >> o Can a host certificate be a member of a VO?
>
> For the implementation of such use case there is the possibility to
> use the so called Robot certificates.
>
> These certificates at least in Europe are currently issued by UK E-
> science CA, DutchGrid CA and INFN CA.
>
> And I guess that other CAs might be willing to implement something
> like this if there is need.
>
> Hope this helps.
>
> Best Regards,
> Ioannis-
>
> On Jun 23, 2008, at 6:31 PM, Constantinos (Costas) Kotsokalis wrote:
> > Hi Marcus,
> >
> > Some (I hope not too late) answers/comments inline :-)
> >
> > On Jun 19, 2008, at 10:47 , Marcus Hardt wrote:
> >> Dear Colleagues,
> >>
> >> I'm one of the "silent" consumers of this list. And I wonder, if the
> >> following
> >> use case is already covered by the RISGE group.
> >>
> >> We have a sensor that could be operated by an operator for making a
> >> measurement.
> >>
> >> The measurement needs to be stored in a grid-accessible way.
> >> Preferrably it
> >> would be copied to a gLite Storage Element (SE) and registered in
> >> the gLite
> >> Logical File Catalogue (LFC).
> >>
> >> Ideally the sensor would be capable of submitting jobs that analyse
> >> the data.
> >
> > Overall, we are looking into those situations where there is some
> > post-
> > processing of experimental data involved, without explicitly examining
> > the exact kind of post-processing, where they are stored (we consider
> > a data sink which might be anything), how the data was transfered,
> > etc.
> >
> >> Now I've some questions:
> >>
> >> o Is there a common understanding of how the Proxy is created? This
> >> directly
> >> influences the ownership of the data?
> >
> > In average, it looks like most (if not all) experiments we have
> > examined are performed via a web-based interface (i.e., a portal). As
> > such, one can assume that proxies are created at login time, and that
> > indeed data is owned by the remote scientist (the person conducting
> > the experiment). However, I should add that proxy creation is again an
> > implementation issue, seen (at least by myself) as an added layer to
> > the functionality that we are trying to describe (this is the approach
> > taken by most OGF groups, AFAIK). That is not to say that security and
> > data ownership is not a relevant topic.
> >
> >> o If there is no user to create a proxy, is it foreseen to use the
> >> host
> >> certificate of the sensor? Is this actually technically possible? Is
> >> this
> >> permittet by the CAs CP/CPS?
> >
> > Again, this is an implementation issue, and I personally don't have
> > specific understanding/opinion. About this, I would recommend
> > contacting your local CA, or even the CAOPS group of the OGF.
> >
> >> o Can a host certificate be a member of a VO?
> >
> > Again, your local CA, VOMS manager, or the CAOPS group might be more
> > appropriate to answer this. I don't see why it cannot, but security is
> > not my field.
> >
> > Best regards,
> >
> >  Costas
> >
> >> Are there answers to these questions?
> >>
> >> Greetings from Karlsruhe,
> >> --
> >> M.
> >> _______________________________________________
> >> Risge-rg mailing list
> >> Risge-rg at ogf.org
> >> http://www.ogf.org/mailman/listinfo/risge-rg
> >
> > --
> > Constantinos (Costas) Kotsokalis
> > IT & Media Center
> > Dortmund University of Technology
> >
> > _______________________________________________
> > Risge-rg mailing list
> > Risge-rg at ogf.org
> > http://www.ogf.org/mailman/listinfo/risge-rg



-- 
M.