OGF PGI - GLUE Capability for Security - First proposal of specification
Morris, Johannes and all, Inside OGF PGI, I am trying to perform pragmatic work and provide proposals. So, inside the attached 'Glue-Capability-For-Security.txt' file, I has written down a first proposal of specifications for extensions of the 'Capability_t' type of GLUE 2.0 taking into account requirements 1, 4, 163, 11 and 17. I hope that this proposal is understandable. Please criticize it, in order to improve it . Best regards. ----------------------------------------------------- Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Skype: etienne.urbah Mob: +33 6 22 30 53 27 mailto:urbah@lal.in2p3.fr -----------------------------------------------------
Morris, Johannes and all, OGF GLUE 2.0 (GFD.147) specifies that : - Grid clients communicate with grid services through endpoints modeled by the 'Endpoint' class. - This 'Endpoint' class has a 'Capability' multi-valued attribute using value listed in the open 'Capability_t' type. Extension of this 'Capability_t' type would permit the 'Capability' attribute to publish the precise security setup of the endpoint. Please find in the attached 'Glue-Capability-For-Security.txt' file an update of the proposal sent in my previous mail It is also available at http://forge.gridforum.org/sf/go/doc16157?nav=1 Thank you in advance for studying this proposal and criticizing it, in order to improve it. Best regards Etienne URBAH On Thu, 18/11/2010 15:45, Etienne URBAH wrote:
Morris, Johannes and all,
Inside OGF PGI, I am trying to perform pragmatic work and provide technical proposals.
So, inside the attached 'Glue-Capability-For-Security.txt' file, I has written down a first proposal of specifications for extensions of the 'Capability_t' type of GLUE 2.0 taking into account requirements 1, 4, 163, 11 and 17.
I hope that this proposal is understandable.
Please criticize it in order to improve it.
Best regards.
----------------------------------------------------- Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Skype: etienne.urbah Mob: +33 6 22 30 53 27 mailto:urbah@lal.in2p3.fr -----------------------------------------------------
Hi Etienne, all I'm no Glue expert, and can't remember whether Glue foresees different access privileges to different bits of information. There's one problem with advertising security setup in information systems: normally, one can't access an information document without being authorised. That is, you probably can't obtain security setup information without knowing the security setup. Kind of a bootstrap issue, admittedly. Cheers, Oxana 18.11.2010 15:45, Etienne URBAH пишет:
Morris, Johannes and all,
Inside OGF PGI, I am trying to perform pragmatic work and provide proposals.
So, inside the attached 'Glue-Capability-For-Security.txt' file, I has written down a first proposal of specifications for extensions of the 'Capability_t' type of GLUE 2.0 taking into account requirements 1, 4, 163, 11 and 17.
I hope that this proposal is understandable.
Please criticize it, in order to improve it .
Best regards.
----------------------------------------------------- Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Skype: etienne.urbah Mob: +33 6 22 30 53 27 mailto:urbah@lal.in2p3.fr -----------------------------------------------------
_______________________________________________ Pgi-wg mailing list Pgi-wg@ogf.org http://www.ogf.org/mailman/listinfo/pgi-wg
hi Etienne, Oxana, On Do, 2010-11-18 at 19:32 +0100, Oxana Smirnova wrote:
I'm no Glue expert, and can't remember whether Glue foresees different access privileges to different bits of information. There's one problem with advertising security setup in information systems:
normally, one can't access an information document without being authorised.
That is, you probably can't obtain security setup information without knowing the security setup. Kind of a bootstrap issue, admittedly.
I think that this is not so much of a problem. Let's say you can have "in-band" info systems that use the same security setup as the target services. However, you often have out-of-band info systems that use a different security setup. Usually this will be less strict, say normal HTTPS or even plain HTTP. You might even get a snipped of GLUE2 sent to you via email :-) So Etienne's approach has a lot of merits. In detail I've a couple of comments on the SSL/TLS capabilities. There are only three cases here: a1) normal SSL, i.e. server presents its certificate to the client a2) client-authenticated SSL, i.e. the client additionally MUST present a valid certificate GSI ("SSL with proxy") is not(!) SSL, and should not be on the same level. So the SSL/TLS attributes should be just security.authentication.ssl security.authentication.ssl.clientauth if you really want GSI (everybody seems to agree that it is going to be deprecated ...), you need "security.authentication.gsi" etc Best regards, Bernd.
18.11.2010 15:45, Etienne URBAH пишет:
Morris, Johannes and all,
Inside OGF PGI, I am trying to perform pragmatic work and provide proposals.
So, inside the attached 'Glue-Capability-For-Security.txt' file, I has written down a first proposal of specifications for extensions of the 'Capability_t' type of GLUE 2.0 taking into account requirements 1, 4, 163, 11 and 17.
I hope that this proposal is understandable.
Please criticize it, in order to improve it .
Best regards.
----------------------------------------------------- Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Skype: etienne.urbah Mob: +33 6 22 30 53 27 mailto:urbah@lal.in2p3.fr -----------------------------------------------------
_______________________________________________ Pgi-wg mailing list Pgi-wg@ogf.org http://www.ogf.org/mailman/listinfo/pgi-wg -- Dr. Bernd Schuller Distributed Systems and Grid Computing Juelich Supercomputing Centre, http://www.fz-juelich.de/jsc Phone: +49 246161-8736 (fax -8556) Personal blog: www.jroller.com/page/gridhaus
------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------
Bernd, Oxana and all, Concerning a proposal of specification on GLUE Capability for Security : Lot of thanks to Oxana and Bernd for their contribution. 'In-band' and public GLUE views ------------------------------- I fully agree with Bernd that several different views will be published for GLUE information : - 1 'in-band' GLUE view requesting client credentials (through LDAPS, HTTPS, ...), and providing detailed information according to the access rights of the client, - 1 public GLUE view (through LDAP, HTTP) providing only public information (including the security setup of the 'in-band' GLUE view). At OGF30 in Brussels, JP Navarro explained that TeraGrid is implementing a FLAT XML rendering for several reasons, in particular to ease the publication of these different views. See slide 4 at http://forge.gridforum.org/sf/go/doc16099 'Capability_t' type of GLUE 2.0 for security -------------------------------------------- I agree with Bernd, and I have updated my proposal in the attached 'Glue-Capability-For-Security.txt' file, which is also available at http://forge.gridforum.org/sf/go/doc16157 Thank you in advance for studying this proposal and criticizing it, in order to improve it. Best regards. ----------------------------------------------------- Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Skype: etienne.urbah Mob: +33 6 22 30 53 27 mailto:urbah@lal.in2p3.fr ----------------------------------------------------- On Thu, 18/11/2010 20:45, Bernd Schuller wrote:
hi Etienne, Oxana,
On Do, 2010-11-18 at 19:32 +0100, Oxana Smirnova wrote:
I'm no Glue expert, and can't remember whether Glue foresees different access privileges to different bits of information. There's one problem with advertising security setup in information systems:
normally, one can't access an information document without being authorised.
That is, you probably can't obtain security setup information without knowing the security setup. Kind of a bootstrap issue, admittedly.
I think that this is not so much of a problem. Let's say you can have "in-band" info systems that use the same security setup as the target services. However, you often have out-of-band info systems that use a different security setup. Usually this will be less strict, say normal HTTPS or even plain HTTP. You might even get a snipped of GLUE2 sent to you via email :-)
So Etienne's approach has a lot of merits.
In detail I've a couple of comments on the SSL/TLS capabilities. There are only three cases here: a1) normal SSL, i.e. server presents its certificate to the client a2) client-authenticated SSL, i.e. the client additionally MUST present a valid certificate
GSI ("SSL with proxy") is not(!) SSL, and should not be on the same level.
So the SSL/TLS attributes should be just security.authentication.ssl security.authentication.ssl.clientauth
if you really want GSI (everybody seems to agree that it is going to be deprecated ...), you need "security.authentication.gsi" etc
Best regards, Bernd.
18.11.2010 15:45, Etienne URBAH wrote:
Morris, Johannes and all,
Inside OGF PGI, I am trying to perform pragmatic work and provide constructive proposals.
So, inside the attached 'Glue-Capability-For-Security.txt' file, I has written down a first proposal of specifications for extensions of the 'Capability_t' type of GLUE 2.0 taking into account requirements 1, 4, 163, 11 and 17.
I hope that this proposal is understandable.
Please criticize it, in order to improve it .
Best regards.
----------------------------------------------------- Etienne URBAH LAL, Univ Paris-Sud, IN2P3/CNRS Bat 200 91898 ORSAY France Tel: +33 1 64 46 84 87 Skype: etienne.urbah Mob: +33 6 22 30 53 27 mailto:urbah@lal.in2p3.fr -----------------------------------------------------
participants (3)
-
Bernd Schuller -
Etienne URBAH -
Oxana Smirnova