03/13/2009 8:34 AM
post6102
|
Production Grid Infrastructure (PGI) Standard Working Session (2), OGF25, 5 Mar 2009, 11:00 (CET)
Presentation: Duane (via skype), Andrew
Conformance targets for simple PGI communication
Orthogonal steps towards basic interoperability
Suggesteion:
Step 1: simple message communication, PGI_Comm Profile
In presentation:
1 PGI_HTTPS
2 PGI_TLSPROXY
3 PGI_SOAP_SAML
Morris:
Questions, more profiles?
One profile, more profiles?
Process: we cannot do it in the first section
How to break it in small pieces -> discuss here
Should not break too much
Should we do sub profiling?
Andrew:
Two sec. conf. targets
Not go back to one target
Split between
TLS proxy and SAML, SOAP
Etienn:
Description in human readable texts! -> appendix
Aleks:
X.509 vs. TLS proxies
RFC reject
Morris:
Add up a system that does not use attribute as well
just a pure proxy syste: no
we want to have attributes
nail things down here is not possible…
Morris:
Question:
WS- naming
GENESIS is adopting it – spend a few words
Idea: webserver with WS end point
attribute certificates
standard attribute assertions
does not tell you about resources
way to give informations to Grid resources
granularity
URI, epr basically is URI
Morris:
Sub container approach?
Duane:
Anybody using attribute targets?
Morris:
Attribute statements in SAML assertions
Specification in the slides
Andrew:
Specifications allow doing it
If nobody uses it -> skip
If somebody uses it -> include
In straw man
Morris:
Las version of straw man document from Duane very much nailed down.
Move to Moreno’s presentation
Andrew:
Nail down the two profiles
Discussion of UNICORE delegation model:
What is the delegation model? Can I use proxy certificates? Should we use proxies?
Morris:
Point: delegation of credentials
Idea: WS-trust spec
Andrew:
GENESIS uses WS-trust port type, implements get security token
SAML tokens for delegation
Aleks:
Pull tokens from service – not pushing?
Duane, Andrew:
Yes
Aleks:
Similar approach without WS-trust in development version of ARC, willing to do WS-trust
gLite:
proxies
developing security token service
Moreno:
Topic for Zürich
Aleks:
Use GENESIS way
Andrew:
Every time before service call you need certificate?
Aleks:
Not for every call
Andrew:
Can identify services where no delegation of the credentials is needed
Services are interfaces
Need to tell people what to do
Don’t delegate credentials to service which you don’t know
Morris:
Additional comments?
Summary and action definition
Duane’s straw man is a good basis
Comments from middlewares?
Only take delegation element from Moreno’s document
Oxana:
Talking about two profiles?
Duane’s straw man defines three profiles in one document
-> Merge Duane’s and Moren’s
Aleks:
Restricted delegation is major point, not covered now
Oxana:
Two profiles in one doc
Andrew:
Should Duane include Moreno’s in his document?
Morris:
Everybody should first read it
By the end of next week we can do it hopefully
Duane:
Describe two different ways of things being done
Morris:
Next week deadline for inputs
Andrew:
Restricted delegation: not include in current work
Morris:
We have to address it but not lose focus!!
Informational document?
Aleks:
How is information propagated?
Andrew:
In proxy cert?
Alesk:
Not in SAML
Andrew:
Talk on further
Balazs:
Take a few days for review and make comments.
Morris:
Progress:
Next week: comment phase -> mailing list
Andrew:
Thanks Duane for spending 120 hours for writing the straw man document!
Steven:
The work needs focus, what time you can dedicate.
|
|
|