Re: [Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ
On Friday 27 March 2009 15:03, you wrote:
Yes,
thats what I meant I guess we just need two because of some legacy production systems?!
When I think about opening a TLS I think the following options exist:
(A)
I use a GSI Proxy to establish a GSI-based TLS connection each hop creates a new proxy-pair.
You are falling to delegation. Should it be a different topic?
(B)
I use a OpenSSL proxy to establish an OpenSSL-based proxy TLS connection (which included C) each hop creates new proxy-pair
TLS connection by itself can't create *new* proxy. One needs some additional way to do that.
(C)
I use a full end-entity certificate to establish a TLS connection
Would you agree on this one with me and what do others think, e.g. gLite?
Thanks,
Morris
------------------------------------------------------------
Morris Riedel
SW - Engineer
Distributed Systems and Grid Computing Division
Jülich Supercomputing Centre (JSC)
Forschungszentrum Juelich
Wilhelm-Johnen-Str. 1
D - 52425 Juelich
Germany
Email: m.riedel@fz-juelich.de
Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
Phone: +49 2461 61 - 3651
Fax: +49 2461 61 - 6656
Skype: MorrisRiedel
"We work to better ourselves, and the rest of humanity"
No, thanks. signed, Rest of humanity :)
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender)
From: weizhong qiang [mailto:weizhongqiang@gmail.com] Sent: Friday, March 27, 2009 1:46 PM To: Morris Riedel Cc: Aleksandr Konstantinov; pgi-wg@ogf.org Subject: Re: [Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ
2009/3/27 Morris Riedel <m.riedel@fz-juelich.de>
Hi,
- Of course. "Full certificate" is just an extreme case of proxy
certificate - like table without legs.
Unfortunately, we heard earlier that this is not generally the case since GSI proxy-based TLS changes also the wire or handshaking process while I agree with end-entity TLS is a subset (as chain length 0 proxy) of normal TLS.
However, in practical works I have done in scenarios - I learned we have to support both. So I see that we have to support both?!
There are at least two "both" from my understanding here: 1, in terms of certificate itself, both full X.509 and proxy certificate; and support means the verification of certificate, and only normal TLS wire protocol is used. Which you agree from your sentence, I think.
2, in terms of wire protocol, both TLS and GSI, which practically are incompatible. I guess your question is about this one. I propose we can have two profiles about this, while mentioning GSI (wire protocol) profile is only for legacy reason, but is not recommended.
Weizhong Qiang
Take care, Morris
Ok, now I also don't understand it anymore.
- You are falling to delegation. Should it be a different topic?
No - in order to create a GSI connection: (1) First, generate a GSI proxy (2) Use this GSI proxy to establish the GSI connection?! Is that wrong? Take care, Morris ------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656 Skype: MorrisRiedel "We work to better ourselves, and the rest of humanity" Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender)
------Original Message----- -From: Aleksandr Konstantinov [mailto:aleksandr.konstantinov@fys.uio.no] -Sent: Friday, March 27, 2009 2:46 PM -To: Morris Riedel; pgi-wg@ogf.org -Subject: Re: [Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ - -On Friday 27 March 2009 15:03, you wrote: -> Yes, -> -> -> -> thats what I meant I guess we just need two because of some legacy -> production systems?! -> -> -> -> -> -> When I think about opening a TLS I think the following options exist: -> -> -> -> -> -> (A) -> -> I use a GSI Proxy to establish a GSI-based TLS connection each hop creates -> a new proxy-pair. - -You are falling to delegation. Should it be a different topic? - -> -> -> -> (B) -> -> I use a OpenSSL proxy to establish an OpenSSL-based proxy TLS connection -> (which included C) each hop creates new proxy-pair - -TLS connection by itself can't create *new* proxy. One needs some additional -way to do that. - -> -> -> -> (C) -> -> I use a full end-entity certificate to establish a TLS connection -> -> -> -> -> -> Would you agree on this one with me and what do others think, e.g. gLite? -> -> -> -> -> -> Thanks, -> -> Morris -> -> -> -> ------------------------------------------------------------ -> -> Morris Riedel -> -> SW - Engineer -> -> Distributed Systems and Grid Computing Division -> -> Jülich Supercomputing Centre (JSC) -> -> Forschungszentrum Juelich -> -> Wilhelm-Johnen-Str. 1 -> -> D - 52425 Juelich -> -> Germany -> -> -> -> Email: m.riedel@fz-juelich.de -> -> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel -> -> Phone: +49 2461 61 - 3651 -> -> Fax: +49 2461 61 - 6656 -> -> -> -> Skype: MorrisRiedel -> -> -> -> "We work to better ourselves, and the rest of humanity" - -No, thanks. - -signed, - Rest of humanity - - -:) - -> -> -> -> Sitz der Gesellschaft: Jülich -> -> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 -> -> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe -> -> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), -> -> Dr. Ulrich Krafft (stellv. Vorsitzender) -> -> -> -> From: weizhong qiang [mailto:weizhongqiang@gmail.com] -> Sent: Friday, March 27, 2009 1:46 PM -> To: Morris Riedel -> Cc: Aleksandr Konstantinov; pgi-wg@ogf.org -> Subject: Re: [Pgi-wg] Sec: Agreement on -> attributetransportmechanismsforAttrAuthZ -> -> -> -> -> -> 2009/3/27 Morris Riedel <m.riedel@fz-juelich.de> -> -> Hi, -> -> >- Of course. "Full certificate" is just an extreme case of proxy -> -> certificate - like table without legs. -> -> Unfortunately, we heard earlier that this is not generally the case since -> GSI proxy-based TLS changes also the wire or handshaking process while I -> agree with end-entity TLS is a subset (as chain length 0 proxy) of normal -> TLS. -> -> However, in practical works I have done in scenarios - I learned we have to -> support both. So I see that we have to support both?! -> -> -> There are at least two "both" from my understanding here: -> 1, in terms of certificate itself, both full X.509 and proxy certificate; -> and support means the verification of certificate, and only normal TLS wire -> protocol is used. -> Which you agree from your sentence, I think. -> -> 2, in terms of wire protocol, both TLS and GSI, which practically are -> incompatible. -> I guess your question is about this one. -> I propose we can have two profiles about this, while mentioning GSI (wire -> protocol) profile is only for legacy reason, but is not recommended. -> -> -> Weizhong Qiang -> -> -> -> -> -> Take care, -> Morris -> -> -> ->
Hi,
(B)
I use a OpenSSL proxy to establish an OpenSSL-based proxy TLS connection (which included C) each hop creates new proxy-pair
TLS connection by itself can't create >*new* proxy. One needs some additional way to do that.
Of course, so you do: (1) Create a new proxy using OpenSSL (2) using this proxy to create the TLS connection Is that wrong? Thanks for clarification, Morris ------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656 Skype: MorrisRiedel "We work to better ourselves, and the rest of humanity" Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender)
------Original Message----- -From: Aleksandr Konstantinov [mailto:aleksandr.konstantinov@fys.uio.no] -Sent: Friday, March 27, 2009 2:46 PM -To: Morris Riedel; pgi-wg@ogf.org -Subject: Re: [Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ - -On Friday 27 March 2009 15:03, you wrote: -> Yes, -> -> -> -> thats what I meant I guess we just need two because of some legacy -> production systems?! -> -> -> -> -> -> When I think about opening a TLS I think the following options exist: -> -> -> -> -> -> (A) -> -> I use a GSI Proxy to establish a GSI-based TLS connection each hop creates -> a new proxy-pair. - -You are falling to delegation. Should it be a different topic? - -> -> -> -> (B) -> -> I use a OpenSSL proxy to establish an OpenSSL-based proxy TLS connection -> (which included C) each hop creates new proxy-pair - -TLS connection by itself can't create *new* proxy. One needs some additional -way to do that. - -> -> -> -> (C) -> -> I use a full end-entity certificate to establish a TLS connection -> -> -> -> -> -> Would you agree on this one with me and what do others think, e.g. gLite? -> -> -> -> -> -> Thanks, -> -> Morris -> -> -> -> ------------------------------------------------------------ -> -> Morris Riedel -> -> SW - Engineer -> -> Distributed Systems and Grid Computing Division -> -> Jülich Supercomputing Centre (JSC) -> -> Forschungszentrum Juelich -> -> Wilhelm-Johnen-Str. 1 -> -> D - 52425 Juelich -> -> Germany -> -> -> -> Email: m.riedel@fz-juelich.de -> -> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel -> -> Phone: +49 2461 61 - 3651 -> -> Fax: +49 2461 61 - 6656 -> -> -> -> Skype: MorrisRiedel -> -> -> -> "We work to better ourselves, and the rest of humanity" - -No, thanks. - -signed, - Rest of humanity - - -:) - -> -> -> -> Sitz der Gesellschaft: Jülich -> -> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 -> -> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe -> -> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), -> -> Dr. Ulrich Krafft (stellv. Vorsitzender) -> -> -> -> From: weizhong qiang [mailto:weizhongqiang@gmail.com] -> Sent: Friday, March 27, 2009 1:46 PM -> To: Morris Riedel -> Cc: Aleksandr Konstantinov; pgi-wg@ogf.org -> Subject: Re: [Pgi-wg] Sec: Agreement on -> attributetransportmechanismsforAttrAuthZ -> -> -> -> -> -> 2009/3/27 Morris Riedel <m.riedel@fz-juelich.de> -> -> Hi, -> -> >- Of course. "Full certificate" is just an extreme case of proxy -> -> certificate - like table without legs. -> -> Unfortunately, we heard earlier that this is not generally the case since -> GSI proxy-based TLS changes also the wire or handshaking process while I -> agree with end-entity TLS is a subset (as chain length 0 proxy) of normal -> TLS. -> -> However, in practical works I have done in scenarios - I learned we have to -> support both. So I see that we have to support both?! -> -> -> There are at least two "both" from my understanding here: -> 1, in terms of certificate itself, both full X.509 and proxy certificate; -> and support means the verification of certificate, and only normal TLS wire -> protocol is used. -> Which you agree from your sentence, I think. -> -> 2, in terms of wire protocol, both TLS and GSI, which practically are -> incompatible. -> I guess your question is about this one. -> I propose we can have two profiles about this, while mentioning GSI (wire -> protocol) profile is only for legacy reason, but is not recommended. -> -> -> Weizhong Qiang -> -> -> -> -> -> Take care, -> Morris -> -> -> ->
participants (2)
-
Aleksandr Konstantinov -
Morris Riedel