hi Etienne, Oxana, On Do, 2010-11-18 at 19:32 +0100, Oxana Smirnova wrote:
I'm no Glue expert, and can't remember whether Glue foresees different access privileges to different bits of information. There's one problem with advertising security setup in information systems:
normally, one can't access an information document without being authorised.
That is, you probably can't obtain security setup information without knowing the security setup. Kind of a bootstrap issue, admittedly.
I think that this is not so much of a problem. Let's say you can have "in-band" info systems that use the same security setup as the target services. However, you often have out-of-band info systems that use a different security setup. Usually this will be less strict, say normal HTTPS or even plain HTTP. You might even get a snipped of GLUE2 sent to you via email :-) So Etienne's approach has a lot of merits. In detail I've a couple of comments on the SSL/TLS capabilities. There are only three cases here: a1) normal SSL, i.e. server presents its certificate to the client a2) client-authenticated SSL, i.e. the client additionally MUST present a valid certificate GSI ("SSL with proxy") is not(!) SSL, and should not be on the same level. So the SSL/TLS attributes should be just security.authentication.ssl security.authentication.ssl.clientauth if you really want GSI (everybody seems to agree that it is going to be deprecated ...), you need "security.authentication.gsi" etc Best regards, Bernd.
18.11.2010 15:45, Etienne URBAH пишет:
Morris, Johannes and all,
Inside OGF PGI, I am trying to perform pragmatic work and provide proposals.
So, inside the attached 'Glue-Capability-For-Security.txt' file, I has written down a first proposal of specifications for extensions of the 'Capability_t' type of GLUE 2.0 taking into account requirements 1, 4, 163, 11 and 17.
I hope that this proposal is understandable.
Please criticize it, in order to improve it .
Best regards.
----------------------------------------------------- Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Skype: etienne.urbah Mob: +33 6 22 30 53 27 mailto:urbah@lal.in2p3.fr -----------------------------------------------------
_______________________________________________ Pgi-wg mailing list Pgi-wg@ogf.org http://www.ogf.org/mailman/listinfo/pgi-wg -- Dr. Bernd Schuller Distributed Systems and Grid Computing Juelich Supercomputing Centre, http://www.fz-juelich.de/jsc Phone: +49 246161-8736 (fax -8556) Personal blog: www.jroller.com/page/gridhaus
------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------