David O'Callaghan wrote on 11 May 2006 14:42:
Hi Jens et al.,
Hi David,
On 11.05.06 12:53, Jensen, J (Jens) wrote:
Regardless of whether "we" build a validation authority or add to the middleware validation, someone still needs to build the validation code, and the language to specify what you want. The language should allow for checking not just policy oid but also key size and individual extensions, etc, IMHO. And be simple enough that anyone can implement an acceptance policy - no XML, no binary encodings.
I've been working on something like this and I hope to have the opportunity to describe it at the next EU Grid PMA meeting. The acceptance policy uses a Scheme-style S-Expression format, which admittedly has a lot in common with XML.
Interesting. Do you have an implementation, or is it design at this stage? It ought to be possible to glue guile and OpenSSL together to evaluate it. Personally, I'd much much rather write an S-expression than write an XACML-style policy document by hand... but then I am fluent in lisp so YMMV. I think we need an IGTF working group on this. We need to get requirements from the RPs as well. At the TAGPMA meeting, David G said he'd set up a policy WG, with expressions of interest received from Tony and Scott, and *cough* myself.
And as I mentioned earlier, if we add it to the middleware, it is best to go as far upstream as possible - OpenSSL ideally, or Globus. Document may need tweaking depending on where we go.
It will also need to work with other libraries, such as Bouncy Castle which is used for Java-based software (e.g. in gLite).
Definitely. But if OpenSSL has it, others are more likely to follow, I hope. If we need things changed, the further upstream it is changed, the wider the effect will be, but there is no single source. As long as it's compatible with other libraries in the interim. Didn't EGEE contribute Globus proxy validation code to OpenSSL? Cheers, --jens