Re: [Pgi-wg] OGF PGI - Security - Interoperability in progressbetween EGEE and OSG (using COPS)
Dear all, As the presented of the authz-interop.org work, I can just confirm that both Steven and Morris are absolutely correct. For the techies on the list: the authz-interop work addresses the exchange of attributes and obligations between a policy enforcement point and a decision point, and the communications protocol to exchange these (essentially a profile of XACML2 over SAML2). It does NOT address the 'external' interface for any service. Best, David "sorry, no simple solutions available yet" G. Morris Riedel wrote:
Exactly - from my understanding its on a different level!
------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division
------Original Message----- -From: pgi-wg-bounces@ogf.org [mailto:pgi-wg-bounces@ogf.org] On Behalf Of -Steven Newhouse -Sent: Friday, April 03, 2009 3:48 PM -To: Etienne Urbah; pgi-wg@ogf.org -Cc: edges-na3@mail.edges-grid.eu; lodygens@lal.in2p3.fr -Subject: Re: [Pgi-wg] OGF PGI - Security - Interoperability in progressbetween -EGEE and OSG (using COPS) - -It is my understanding that this work addresses a very different use case than we -have been discussing within PGI. Its a deployment that is encapsulated within the -service infrastructure (generally within a single site) to support authorization -decisions. Not the user/role driven authentication tokens that we have been -discussing within PGI - our primary use case. - -Steven - -Dr Steven Newhouse -EGEE Technical Director -http://cern.ch/Steven.Newhouse - - -> -----Original Message----- -> From: pgi-wg-bounces@ogf.org [mailto:pgi-wg-bounces@ogf.org] On Behalf -> Of Etienne URBAH -> Sent: 03 April 2009 15:38 -> To: pgi-wg@ogf.org -> Cc: edges-na3@mail.edges-grid.eu; lodygens@lal.in2p3.fr -> Subject: [Pgi-wg] OGF PGI - Security - Interoperability in progress -> between EGEE and OSG (using COPS) -> -> To All, -> -> -> My previous today's mail shows that the security work of PGI is now -> stuck into irreconcilable incompatibility between : -> - RFC-3820-compliant X509 certificates and proxies on one part, -> - GSI-style X509 proxies (which can be delegated) on the other part. -> -> -> But there is some hope : At the last MWSG meeting in Zürich, David -> GROEP has performed a presentation 'AuthZ Interop report' available at -> http://indico.cern.ch/materialDisplay.py?contribId=22&sessionId=3&mater -> ialId=slides&confId=52862 -> -> This presentation describes current work in good progress begun in 2007 -> on security interoperability between OSG and EGEE, with the help of -> Globus and Condor teams. -> -> This work uses the Common Open Policy Service (COPS) model defined in -> RFC 2748 at http://tools.ietf.org/html/rfc2748 -> -> COPS defines at least following 2 concepts : -> - PDP = Policy Decision Point -> - PEP = Policy Enforcement Point -> -> Interoperability is achieved through an AuthZ Interop Profile, based on -> the SAML v2 profile of XACML v2. -> -> There are production deployments in OSG and EGEE. -> -> -> So I suggest that, before reinventing the wheel, we study in detail the -> above mentioned document, in order to quickly know : -> - The problems which they are encountering, -> - The solutions which they are founding, -> - The interoperable components which they are deploying and which we -> could reuse, -> - ... -> -> -> Best regards. -> -> ---------------------------------- -> Etienne URBAH IN2P3 - LAL
-- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
------Original Message----- -From: David Groep [mailto:davidg@nikhef.nl] -Sent: Friday, April 03, 2009 3:56 PM -To: Morris Riedel -Cc: 'Steven Newhouse'; 'Etienne Urbah'; pgi-wg@ogf.org; edges-na3@mail.edges- -grid.eu; lodygens@lal.in2p3.fr -Subject: Re: [Pgi-wg] OGF PGI - Security - Interoperability in
-and OSG (using COPS) - -Dear all, - -As the presented of the authz-interop.org work, I can just confirm -that both Steven and Morris are absolutely correct. - -For the techies on the list: the authz-interop work addresses the -exchange of attributes and obligations between a policy enforcement -point and a decision point, and the communications protocol to exchange -these (essentially a profile of XACML2 over SAML2). It does NOT -address the 'external' interface for any service. - - Best, - David "sorry, no simple solutions available yet" G. - -Morris Riedel wrote: -> Exactly - from my understanding its on a different level! -> -> ------------------------------------------------------------ -> Morris Riedel -> SW - Engineer -> Distributed Systems and Grid Computing Division -> -> ->> ------Original Message----- ->> -From: pgi-wg-bounces@ogf.org [mailto:pgi-wg-bounces@ogf.org] On Behalf Of ->> -Steven Newhouse ->> -Sent: Friday, April 03, 2009 3:48 PM ->> -To: Etienne Urbah; pgi-wg@ogf.org ->> -Cc: edges-na3@mail.edges-grid.eu; lodygens@lal.in2p3.fr ->> -Subject: Re: [Pgi-wg] OGF PGI - Security - Interoperability in -> progressbetween ->> -EGEE and OSG (using COPS) ->> - ->> -It is my understanding that this work addresses a very different use case -> than we ->> -have been discussing within PGI. Its a deployment that is encapsulated -> within the ->> -service infrastructure (generally within a single site) to support -> authorization ->> -decisions. Not the user/role driven authentication tokens that we have -> been ->> -discussing within PGI - our primary use case. ->> - ->> -Steven ->> - ->> -Dr Steven Newhouse ->> -EGEE Technical Director ->> -http://cern.ch/Steven.Newhouse ->> - ->> - ->> -> -----Original Message----- ->> -> From: pgi-wg-bounces@ogf.org [mailto:pgi-wg-bounces@ogf.org] On Behalf ->> -> Of Etienne URBAH ->> -> Sent: 03 April 2009 15:38 ->> -> To: pgi-wg@ogf.org ->> -> Cc: edges-na3@mail.edges-grid.eu; lodygens@lal.in2p3.fr ->> -> Subject: [Pgi-wg] OGF PGI - Security - Interoperability in progress ->> -> between EGEE and OSG (using COPS) ->> -> ->> -> To All, ->> -> ->> -> ->> -> My previous today's mail shows that the security work of PGI is now ->> -> stuck into irreconcilable incompatibility between : ->> -> - RFC-3820-compliant X509 certificates and proxies on one part, ->> -> - GSI-style X509 proxies (which can be delegated) on the other
->> -> ->> -> ->> -> But there is some hope : At the last MWSG meeting in Zürich, David ->> -> GROEP has performed a presentation 'AuthZ Interop report' available at ->> -> http://indico.cern.ch/materialDisplay.py?contribId=22&sessionId=3&mater ->> -> ialId=slides&confId=52862 ->> -> ->> -> This presentation describes current work in good progress begun in 2007 ->> -> on security interoperability between OSG and EGEE, with the help of ->> -> Globus and Condor teams. ->> -> ->> -> This work uses the Common Open Policy Service (COPS) model defined in ->> -> RFC 2748 at http://tools.ietf.org/html/rfc2748 ->> -> ->> -> COPS defines at least following 2 concepts : ->> -> - PDP = Policy Decision Point ->> -> - PEP = Policy Enforcement Point ->> -> ->> -> Interoperability is achieved through an AuthZ Interop Profile, based on ->> -> the SAML v2 profile of XACML v2. ->> -> ->> -> There are production deployments in OSG and EGEE. ->> -> ->> -> ->> -> So I suggest that, before reinventing the wheel, we study in detail
Thanks for the very valuable input David! ------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656 Skype: MorrisRiedel "We work to better ourselves, and the rest of humanity" Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender) progressbetweenEGEE part. the
->> -> above mentioned document, in order to quickly know : ->> -> - The problems which they are encountering, ->> -> - The solutions which they are founding, ->> -> - The interoperable components which they are deploying and which we ->> -> could reuse, ->> -> - ... ->> -> ->> -> ->> -> Best regards. ->> -> ->> -> ---------------------------------- ->> -> Etienne URBAH IN2P3 - LAL - - --- -David Groep - -** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** -** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL -**
participants (2)
-
David Groep -
Morris Riedel