Duane Merrill wrote:
Forgive me for pushing my logic to the extreme; I do realize that ARC/gLite/Naregi are similar enough that they could be congealed to constitute a "grid island" with some degree of effort. [...] The operative phrase being "the amount of effort we are willing to invest". Perhaps we should survey *that*.
This "all-or-nothing" attitude was precisely what I was trying to avoid when I (and others like me) initially thought about having a small set of different security profiles. There are simply things which we (and others) can't change overnight, as we work on middlewares whose development is constrained in different ways. There's not much that we can do to change these constraints in the sort term. Sure, we could develope a new (e.g.) CREAM-BES service which is completely unrelated with the legacy CREAM, so that we can get rid of every legacy component and implement whatever security mechanism we agree on. Whether we have the resources to do that is a question I'm not entitled to answer, but my guess is that we don't (again, things may change in the future). So, achieving full interoperability between ARC/glite/naregi would be a success for me. Knowing that, by only getting rid of VOMS proxies and using SAML assertions we could get full interoperability with UNICORE and other similar middlewares is equally a success. Having to build adapters to translate (if possible) credentials in different formats is a compromise which is more reasonable than having to wait for all the middlewares of the world to move towards a common security infrastructure. Maybe this will happen, but I don't know whether I will stil be around by then. Moreno. -- Moreno Marzolla INFN Sezione di Padova, via Marzolo 8, 35131 PADOVA, Italy EMail: moreno.marzolla@pd.infn.it Phone: +39 049 8277103 WWW : http://www.dsi.unive.it/~marzolla Fax : +39 049 8756233