Re: [Pgi-wg] OGF PGI - Security Model - NEW versions of GSI acceptRFC-3820-compliant X509 proxies

8 Apr 2009


      Hi,

 very valuable information - probably another reason for sticking to GSI
unfortunately in the production space...
...
- VOMS 2.0 is due to be out during autumn this year.
What is the chance that this VOMS 2.0 get a huge deployment in EGEE then?!

Thanks, 
Morris

------------------------------------------------------------
Morris Riedel
SW - Engineer
Distributed Systems and Grid Computing Division
Jülich Supercomputing Centre (JSC)
Forschungszentrum Juelich
Wilhelm-Johnen-Str. 1
D - 52425 Juelich
Germany

Email: m.riedel@fz-juelich.de
Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
Phone: +49 2461 61 - 3651
Fax: +49 2461 61 - 6656

Skype: MorrisRiedel

"We work to better ourselves, and the rest of humanity"

Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), 
Dr. Ulrich Krafft (stellv. Vorsitzender)
...
------Original Message-----
-From: pgi-wg-bounces@ogf.org [mailto:pgi-wg-bounces@ogf.org] On Behalf Of
-Vincenzo Ciaschini
-Sent: Wednesday, April 08, 2009 12:07 PM
-To: Etienne URBAH
-Cc: aleksandr.konstantinov@fys.uio.no; edges-na3@mail.edges-grid.eu;
-lodygens@lal.in2p3.fr; pgi-wg@ogf.org
-Subject: Re: [Pgi-wg] OGF PGI - Security Model - NEW versions of GSI
acceptRFC-
-3820-compliant X509 proxies
-
-Hi Etienne,
-Etienne URBAH wrote:
-> Still to be verified is that VOMS servers only accept GSI-style X509
-> proxies http://forge.gridforum.org/sf/go/doc15591?nav=1
-VOMS accepts and generates both type of proxies.  However, there is a
-caveat, which explains the failures you get:
-
-Pre VOMS 2.0:
-Server-side, VOMS uses GSI for validation.  This means that if you run
-voms against gt2, contacting it with a gt4 proxy will fail.
-
-There is a final argument in the vomses file which specifies which
-version of GT the service uses, and adapts the proxies used to contact
-it accordingly.  Many VOs distribute an incorrect vomses file.
-
-The final proxy obtained as output by voms-proxy-init will always be
-what you requested, in this case a rfc proxy.
-
-VOMS 2.0 onwards:
-Globus dependencies on the server will be dropped too (They are
-corrently removed from both the clients and the APIs).  This will mean
-that any kind of proxy, or even a bare certificate, will become
-acceptable for contacting the service.  The whole vomses config business
-above will no longer be relevant.
-
-VOMS 2.0 is due to be out during autumn this year.
-
-Ciao,
-    Vincenzo
-_______________________________________________
-Pgi-wg mailing list
-Pgi-wg@ogf.org
-http://www.ogf.org/mailman/listinfo/pgi-wg