This is a static archive of the previous Open Grid Forum GridForge content management system saved from host file /sf/discussion/do/listPosts/projects.pgi-wg/discussion.meetings.topc4234 at Fri, 04 Nov 2022 17:45:31 GMT SourceForge : Post

Project Home




Source Code


File Releases


Project Admin
Project: pgi-wg     Discussion > Meetings > Meeting on 2009-01-16, 16:00 (CET) Notes > List of Posts
Forum Topic - Meeting on 2009-01-16, 16:00 (CET) Notes: (1 Item)
View:  as 
Meeting on 2009-01-16, 16:00 (CET) Notes
ad 1) UNICORE security infrastructure (max 5-10 min), to complete the 
description of security settings of our middlewares

Presentation by Morris (can be found in Documents, 2009-01-16_TelCon, doc15445: UNICORE Security 101 (and delegation 
infos of OGF23)
  +  X.509 certificates
  +  UNICORE user database mapping
  +  identity based authorization
  +  proxy certificates
  +  already working with proxy certificates - but recommend attribute based authorization
  +  decisionmaking process
      °  UNICORE user db (mapping X.509 to username)
      °  XACML based policy description -> more fine grained authorization
  #  X.509 certificates, UNICORE user db mapping, proxy certificates, XACML based policy description

Moreno: Problems with SAML assertion when implementing
In basic it has to be agreed what should be in the "red boxes" on page 8 of Morris' presentation.
There are two ways: 
-  X.509 certificates + TLS
-  SAML assertions in SOAP headers

Genesis does not use delegated X.509 certificates but access control lists.

  +  very basic sec. infrastructure based on X.509 certificates
  +  uses VOMS
  +  super scheduler submits jobs on behalf of the user
  +  gridmap files handled using VOMS
  +  not using SAML
  +  not using XACML

  # summarized: X.509 certificates, superscheduler

UNICORE is the only one using SAML
ARC and gLite use X.509 certificates + delegation of credentials

Proposal from Moreno:
Define two security profiles and let the client choose one or both.
with standard: X.509 + delegation

We have to clearly define the requirements:
-  interface of service 
-  data types
-  formats of certificates
-  ...

ad 2) Can we use (part of) the WS-Trust specification for delegating 
credentials to the service?

Andrew: WS-trust is very easy to implement.
Moreno: delegate the proxy only when interacting with CREAM service
two steps necessary:
- delegate credentials to the system
- use delegated credentials later

The fundamental idea of MyProxy is to send some info in and get some info back. -> get back a delegated certificate
not for every job new credentials -> waste of time

Morris: We have to be careful about implementing too much new ideas: this is not the idea of the pgi-wg

Aleksander and Moreno will prepare a figure to see how the delegation, etc. works in ARC and gLite.

ad 3) AOB

Finish the document by mid of February
At the OGF25 there are three sessions (one workshop session in cooperation with David Wallom and OGF-Europe).

Do marketing around pgi-wg!


The Open Grid Forum Contact Webmaster | Report a problem | GridForge Help
This is a static archive of the previous Open Grid Forum GridForge content management system saved from host file /sf/discussion/do/listPosts/projects.pgi-wg/discussion.meetings.topc4234 at Fri, 04 Nov 2022 17:45:33 GMT