Re: [Pgi-wg] OGF PGI - Security Model - NEW versions of GSI acceptRFC-3820-compliant X509 proxies
*Steven*: Surely its better to focus our energies on defining a profile around the new style proxies that groups intend to support going forward? This seems most prudent. We don't need to bend the PGI profile(s) such that every existing endpoint can be labeled "compliant". Compliant service endpoints can be rolled out incrementally as subject to implementation/budget/etc. constraints. *Morris: *What is the chance that this VOMS 2.0 get a huge deployment in EGEE then?! It doesn't need a huge deployment. Even a single deployment at the grid boundary will work to our ends. -Duane 2009/4/8 Morris Riedel <m.riedel@fz-juelich.de>
Hi,
very valuable information - probably another reason for sticking to GSI unfortunately in the production space...
- VOMS 2.0 is due to be out during autumn this year.
What is the chance that this VOMS 2.0 get a huge deployment in EGEE then?!
Thanks, Morris
------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany
Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656
Skype: MorrisRiedel
"We work to better ourselves, and the rest of humanity"
Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender)
------Original Message----- -From: pgi-wg-bounces@ogf.org [mailto:pgi-wg-bounces@ogf.org] On Behalf Of -Vincenzo Ciaschini -Sent: Wednesday, April 08, 2009 12:07 PM -To: Etienne URBAH -Cc: aleksandr.konstantinov@fys.uio.no; edges-na3@mail.edges-grid.eu; -lodygens@lal.in2p3.fr; pgi-wg@ogf.org -Subject: Re: [Pgi-wg] OGF PGI - Security Model - NEW versions of GSI acceptRFC- -3820-compliant X509 proxies - -Hi Etienne, -Etienne URBAH wrote: -> Still to be verified is that VOMS servers only accept GSI-style X509 -> proxies http://forge.gridforum.org/sf/go/doc15591?nav=1 -VOMS accepts and generates both type of proxies. However, there is a -caveat, which explains the failures you get: - -Pre VOMS 2.0: -Server-side, VOMS uses GSI for validation. This means that if you run -voms against gt2, contacting it with a gt4 proxy will fail. - -There is a final argument in the vomses file which specifies which -version of GT the service uses, and adapts the proxies used to contact -it accordingly. Many VOs distribute an incorrect vomses file. - -The final proxy obtained as output by voms-proxy-init will always be -what you requested, in this case a rfc proxy. - -VOMS 2.0 onwards: -Globus dependencies on the server will be dropped too (They are -corrently removed from both the clients and the APIs). This will mean -that any kind of proxy, or even a bare certificate, will become -acceptable for contacting the service. The whole vomses config business -above will no longer be relevant. - -VOMS 2.0 is due to be out during autumn this year. - -Ciao, - Vincenzo -_______________________________________________ -Pgi-wg mailing list -Pgi-wg@ogf.org -http://www.ogf.org/mailman/listinfo/pgi-wg
_______________________________________________ Pgi-wg mailing list Pgi-wg@ogf.org http://www.ogf.org/mailman/listinfo/pgi-wg
Hi Duane,
-Morris: What is the chance that this VOMS 2.0 get a huge deployment in EGEE then?!
It doesn't need a huge deployment. Even a single deployment at the grid boundary will work to our ends. I dont think so for production interop maybe for typical OGF interop fests. But not for production applications, which are planned between DEISA and EGEE for a few use cases I guess one VOMS is deployed for each VO or has this changed? So it depends with the VO you are working with, e.g. FUSION interop application and their deployed VOMS service in EGEE for instance will matter for DEISA (EUFORIA work Im involved) The difference to OGF interop tests is that we would like to use the interop in production which is different than deploying somewhere a VOMS for special needs. However, it might be the only solution if PGI is not coming up with agreements :-) Take care, Morris ------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656 Skype: MorrisRiedel "We work to better ourselves, and the rest of humanity" Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender) From: Duane Merrill [mailto:dgm4d@virginia.edu] Sent: Wednesday, April 08, 2009 3:42 PM To: Morris Riedel Cc: Vincenzo Ciaschini; Etienne URBAH; aleksandr.konstantinov@fys.uio.no; pgi-wg@ogf.org; edges-na3@mail.edges-grid.eu; lodygens@lal.in2p3.fr Subject: Re: [Pgi-wg] OGF PGI - Security Model - NEW versions of GSI acceptRFC-3820-compliant X509 proxies Steven: Surely its better to focus our energies on defining a profile around the new style proxies that groups intend to support going forward? This seems most prudent. We don't need to bend the PGI profile(s) such that every existing endpoint can be labeled "compliant". Compliant service endpoints can be rolled out incrementally as subject to implementation/budget/etc. constraints. Morris: What is the chance that this VOMS 2.0 get a huge deployment in EGEE then?! It doesn't need a huge deployment. Even a single deployment at the grid boundary will work to our ends. -Duane 2009/4/8 Morris Riedel <m.riedel@fz-juelich.de> Hi, very valuable information - probably another reason for sticking to GSI unfortunately in the production space...
- VOMS 2.0 is due to be out during autumn this year.
What is the chance that this VOMS 2.0 get a huge deployment in EGEE then?! Thanks, Morris ------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656 Skype: MorrisRiedel "We work to better ourselves, and the rest of humanity" Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender)
------Original Message----- -From: pgi-wg-bounces@ogf.org [mailto:pgi-wg-bounces@ogf.org] On Behalf Of -Vincenzo Ciaschini -Sent: Wednesday, April 08, 2009 12:07 PM -To: Etienne URBAH -Cc: aleksandr.konstantinov@fys.uio.no; edges-na3@mail.edges-grid.eu; -lodygens@lal.in2p3.fr; pgi-wg@ogf.org -Subject: Re: [Pgi-wg] OGF PGI - Security Model - NEW versions of GSI acceptRFC- -3820-compliant X509 proxies - -Hi Etienne,
-Etienne URBAH wrote: -> Still to be verified is that VOMS servers only accept GSI-style X509 -> proxies http://forge.gridforum.org/sf/go/doc15591?nav=1 -VOMS accepts and generates both type of proxies. However, there is a -caveat, which explains the failures you get: - -Pre VOMS 2.0: -Server-side, VOMS uses GSI for validation. This means that if you run -voms against gt2, contacting it with a gt4 proxy will fail. - -There is a final argument in the vomses file which specifies which -version of GT the service uses, and adapts the proxies used to contact -it accordingly. Many VOs distribute an incorrect vomses file. - -The final proxy obtained as output by voms-proxy-init will always be -what you requested, in this case a rfc proxy. - -VOMS 2.0 onwards: -Globus dependencies on the server will be dropped too (They are -corrently removed from both the clients and the APIs). This will mean -that any kind of proxy, or even a bare certificate, will become -acceptable for contacting the service. The whole vomses config business -above will no longer be relevant. - -VOMS 2.0 is due to be out during autumn this year. - -Ciao, - Vincenzo
-_______________________________________________ -Pgi-wg mailing list -Pgi-wg@ogf.org -http://www.ogf.org/mailman/listinfo/pgi-wg
_______________________________________________ Pgi-wg mailing list Pgi-wg@ogf.org http://www.ogf.org/mailman/listinfo/pgi-wg
participants (2)
-
Duane Merrill -
Morris Riedel