Re: [Pgi-wg] OGF PGI - Security Strawman
Since we are talking about dynamically advertising the requirements of services (and not clients) within hypothetical information services, we should talk explicily about "service plumbing" and not "client plumbing". For example: - Service endpoint *requires *xyz (e.g., delegation-step, WS-Addressing reference parameters, TLS mutual authentication, etc.) - Service endpoint *can accept* xyz (e.g., TLS proxy-path-validation, SOAP WS-S proxy-path-validation, PGI VOMS-ACs, PGI SAML ACs, TLS client-anonymous authentication, etc) It is implicit that we will be putting in effort to implement clients that fit within the realm of options provided by the services that those clients intend to use. (And it is has become clear from several from these email threads which services those are.) Thus "grid islands" become "grid DAGs". -Duane 2009/3/27 Morris Riedel <m.riedel@fz-juelich.de>
Hi,
- Currently all sentence are read on this mailing lists looked like requiring only listed options to be used for authorization. And this is wrong from my point of view.
I refer to two different plumbings nothing more. This already narrows down the thousand other possibilities...
Take care, Morris
------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany
Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656
Skype: MorrisRiedel
"We work to better ourselves, and the rest of humanity"
Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender)
------Original Message----- -From: Aleksandr Konstantinov [mailto:aleksandr.konstantinov@fys.uio.no]
-Sent: Friday, March 27, 2009 2:40 PM >-To: Morris Riedel -Cc: pgi-wg@ogf.org -Subject: Re: [Pgi-wg] OGF PGI - Security Strawman -
-On Friday 27 March 2009 14:39, Morris Riedel wrote: >-> But Aleksandr - I think we all agree to the VOMS scenario - come on that’s -> something where we can't go currently... :-) - -As I already said I'm not suggesting to profile other information whihc can be used -for authorization. -I said that such information should not be disallowed. Just write profile in such way -that other options -are up to deployment. Currently all sentence are read on this mailing lists looked like -requiring only -listed options to be used for authorization. And this is wrong from my point of view. - - -A.K. - - - -> -> ------------------------------------------------------------ -> Morris Riedel -> SW - Engineer -> Distributed Systems and Grid Computing Division -> Jülich Supercomputing Centre (JSC) -> Forschungszentrum Juelich -> Wilhelm-Johnen-Str. 1 -> D - 52425 Juelich -> Germany -> -> Email: m.riedel@fz-juelich.de -> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel -> Phone: +49 2461 61 - 3651 -> Fax: +49 2461 61 - 6656 -> -> Skype: MorrisRiedel -> -> "We work to better ourselves, and the rest of humanity" -> -> Sitz der Gesellschaft: Jülich -> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 -> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe -> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), -> Dr. Ulrich Krafft (stellv. Vorsitzender) -> -> -> >------Original Message----- -> >-From: Aleksandr Konstantinov [mailto:aleksandr.konstantinov@fys.uio.no] -> >-Sent: Friday, March 27, 2009 1:29 PM -> >-To: Morris Riedel -> >-Subject: Re: [Pgi-wg] OGF PGI - Security Strawman -> >- -> >-On Friday 27 March 2009 12:24, you wrote: -> >-> Aleksandr, -> >-> -> >-> could you give me one example for this: -> >-> -> >-> >- I do support idea of attribute based authorization. But can't -> understand -> >-> why other information authenticating the client should be disallowed -> from -> >-> making authorization decision. -> >-> -> >-> -> >-> I seek to understand what you mean. -> >- -> >- -> >-Most brutal example would be DN of X.509 certificate. -> >-More sophisticated could be distrust of specific computing resource for -> specific -> >-VOMS service. -> >- -> >-A.K.
->
Pgi-wg mailing list Pgi-wg@ogf.org http://www.ogf.org/mailman/listinfo/pgi-wg
Service/Client plumbings? I rather refer to: 3 suggested Authentication Plumbings 2 suggested Authorization Plumbings Take care, Morris ------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656 Skype: MorrisRiedel "We work to better ourselves, and the rest of humanity" Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender) From: Duane Merrill [mailto:dgm4d@virginia.edu] Sent: Friday, March 27, 2009 3:50 PM To: Morris Riedel Cc: Aleksandr Konstantinov; pgi-wg@ogf.org Subject: Re: [Pgi-wg] OGF PGI - Security Strawman Since we are talking about dynamically advertising the requirements of services (and not clients) within hypothetical information services, we should talk explicily about "service plumbing" and not "client plumbing". For example: * Service endpoint requires xyz (e.g., delegation-step, WS-Addressing reference parameters, TLS mutual authentication, etc.) * Service endpoint can accept xyz (e.g., TLS proxy-path-validation, SOAP WS-S proxy-path-validation, PGI VOMS-ACs, PGI SAML ACs, TLS client-anonymous authentication, etc) It is implicit that we will be putting in effort to implement clients that fit within the realm of options provided by the services that those clients intend to use. (And it is has become clear from several from these email threads which services those are.) Thus "grid islands" become "grid DAGs". -Duane 2009/3/27 Morris Riedel <m.riedel@fz-juelich.de> Hi,
- Currently all sentence are read on this mailing lists looked like
requiring only listed options to be used for authorization. And this is wrong from my point of view. I refer to two different plumbings nothing more. This already narrows down the thousand other possibilities... Take care, Morris ------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656 Skype: MorrisRiedel "We work to better ourselves, and the rest of humanity" Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender)
------Original Message-----
-From: Aleksandr Konstantinov [mailto:aleksandr.konstantinov@fys.uio.no]
-Sent: Friday, March 27, 2009 2:40 PM
-To: Morris Riedel
-Cc: pgi-wg@ogf.org
-Subject: Re: [Pgi-wg] OGF PGI - Security Strawman
-
-On Friday 27 March 2009 14:39, Morris Riedel wrote:
-> But Aleksandr - I think we all agree to the VOMS scenario - come on
thats
-> something where we can't go currently... :-)
-
-As I already said I'm not suggesting to profile other information whihc
can be used
-for authorization.
-I said that such information should not be disallowed. Just write profile
in such way
-that other options
-are up to deployment. Currently all sentence are read on this mailing
lists looked like
-requiring only
-listed options to be used for authorization. And this is wrong from my
point of view.
-
-
-A.K.
-
-
-
->
-> ------------------------------------------------------------
-> Morris Riedel
-> SW - Engineer
-> Distributed Systems and Grid Computing Division
-> Jülich Supercomputing Centre (JSC)
-> Forschungszentrum Juelich
-> Wilhelm-Johnen-Str. 1
-> D - 52425 Juelich
-> Germany
->
-> Email: m.riedel@fz-juelich.de
-> Phone: +49 2461 61 - 3651
-> Fax: +49 2461 61 - 6656
->
-> Skype: MorrisRiedel
->
-> "We work to better ourselves, and the rest of humanity"
->
-> Sitz der Gesellschaft: Jülich
-> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
-> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
-> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
-> Dr. Ulrich Krafft (stellv. Vorsitzender)
->
->
-> >------Original Message-----
-> >-From: Aleksandr Konstantinov
[mailto:aleksandr.konstantinov@fys.uio.no]
-> >-Sent: Friday, March 27, 2009 1:29 PM
-> >-To: Morris Riedel
-> >-Subject: Re: [Pgi-wg] OGF PGI - Security Strawman
-> >-
-> >-On Friday 27 March 2009 12:24, you wrote:
-> >-> Aleksandr,
-> >->
-> >-> could you give me one example for this:
-> >->
-> >-> >- I do support idea of attribute based authorization. But can't
-> understand
-> >-> why other information authenticating the client should be disallowed
-> from
-> >-> making authorization decision.
-> >->
-> >->
-> >-> I seek to understand what you mean.
-> >-
-> >-
-> >-Most brutal example would be DN of X.509 certificate.
-> >-More sophisticated could be distrust of specific computing resource
for
-> specific
-> >-VOMS service.
-> >-
-> >-A.K.
->
_______________________________________________ Pgi-wg mailing list Pgi-wg@ogf.org http://www.ogf.org/mailman/listinfo/pgi-wg
participants (2)
-
Duane Merrill -
Morris Riedel