Re: [Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ
2009/3/27 Morris Riedel <m.riedel@fz-juelich.de>
Hi,
- Of course. "Full certificate" is just an extreme case of proxy certificate - like table without legs.
Unfortunately, we heard earlier that this is not generally the case since GSI proxy-based TLS changes also the wire or handshaking process while I agree with end-entity TLS is a subset (as chain length 0 proxy) of normal TLS.
However, in practical works I have done in scenarios - I learned we have to support both. So I see that we have to support both?!
There are at least two "both" from my understanding here: 1, in terms of certificate itself, both full X.509 and proxy certificate; and support means the verification of certificate, and only normal TLS wire protocol is used. Which you agree from your sentence, I think. 2, in terms of wire protocol, both TLS and GSI, which practically are incompatible. I guess your question is about this one. I propose we can have two profiles about this, while mentioning GSI (wire protocol) profile is only for legacy reason, but is not recommended. Weizhong Qiang
Take care, Morris
Yes, thats what I meant I guess we just need two because of some legacy production systems?! When I think about opening a TLS I think the following options exist: (A) I use a GSI Proxy to establish a GSI-based TLS connection each hop creates a new proxy-pair. (B) I use a OpenSSL proxy to establish an OpenSSL-based proxy TLS connection (which included C) each hop creates new proxy-pair (C) I use a full end-entity certificate to establish a TLS connection Would you agree on this one with me and what do others think, e.g. gLite? Thanks, Morris ------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656 Skype: MorrisRiedel "We work to better ourselves, and the rest of humanity" Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender) From: weizhong qiang [mailto:weizhongqiang@gmail.com] Sent: Friday, March 27, 2009 1:46 PM To: Morris Riedel Cc: Aleksandr Konstantinov; pgi-wg@ogf.org Subject: Re: [Pgi-wg] Sec: Agreement on attributetransportmechanismsforAttrAuthZ 2009/3/27 Morris Riedel <m.riedel@fz-juelich.de> Hi,
- Of course. "Full certificate" is just an extreme case of proxy
certificate - like table without legs. Unfortunately, we heard earlier that this is not generally the case since GSI proxy-based TLS changes also the wire or handshaking process while I agree with end-entity TLS is a subset (as chain length 0 proxy) of normal TLS. However, in practical works I have done in scenarios - I learned we have to support both. So I see that we have to support both?! There are at least two "both" from my understanding here: 1, in terms of certificate itself, both full X.509 and proxy certificate; and support means the verification of certificate, and only normal TLS wire protocol is used. Which you agree from your sentence, I think. 2, in terms of wire protocol, both TLS and GSI, which practically are incompatible. I guess your question is about this one. I propose we can have two profiles about this, while mentioning GSI (wire protocol) profile is only for legacy reason, but is not recommended. Weizhong Qiang Take care, Morris
participants (2)
-
Morris Riedel -
weizhong qiang