<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi Rachana,<div><span class="Apple-tab-span" style="white-space:pre"> </span>to reply to point 2.A below: it turns out that establishing mutual authentication between a client and the Attribute/Authorization service, and having white-listing, is not that difficult, and infact the latest</div><div>version of the esg-saml code (1.2.2) has working examples on how to do that. What would be the best way to integrate this into the gateway ? </div><div>Maybe posting the artifacts and the full source code into the ESGF repo @ PCMDI ? Or having a branch of the gateway cut out that we can deploy and experiment with ?</div><div><br></div><div>thanks, Luca</div><div><div><br><div><div>On Aug 3, 2010, at 11:22 AM, Rachana Ananthakrishnan wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Sharing my notes from the call.<div><br></div><div>Rachana</div><div><br></div><div>Gateway Release<br><br>1. Federation-wide Trust Root Management<br>A. Neill to send email to go-essp requesting for certiifcate<br>B. Input from Eric on where in a Gateway install you should pick up MyProxy CA and the OpenID trustroots<br>C. All Gateway and Data node owners to send the trust roots<br>D. Neill generates document with tar.gz and Java trust root<br><br>2. Gateway Attribute Service<br>A. Luca to respond on feasibility to assert a whitelist<br>B. Nathan H to work on Gateway to attribute service call use certificate for SSL handshake<br>C. Eric: PCMDI deployment does not validate client and all connections should be mutually authentication<br>D. Eric: PCMDI deployment did not return any attribute results<br>E. (?) PCMDI registration request was not unanswered. This needs to be changed to be automated.<br>F. (?) Registration currently is automatically approved, and if you know the confirmation URI, the approval can be spoofed.<br><br>3. Gateway SAML Authorization Service<br>A. Luca has tested AuthZ service at NASA, which is latest code<br>B. Data node filter updates need to be absorbed for deployment<br><br>4. Gateway WGet Scripts<br>A. Eric making progress on this, on target<br>B. Phil to follow-up on the wget parameters needed<br>C. Call to discuss the VeriSign keystore issue (Phil, Rachana, Gavin)<br><br>Data Node Release<br><br>1. Data Node Authentication/Authorization<br>A. SAML one has low priority. Use cases where we need the user attributes via the certificates, since the core attributes are pushed via OpenID, but not via PKI.<br>B. RP with email in cookie, not resolved for now<br>C. Next release: code development is done, needs script integration and installation (Stephen, Gavin & Luca)<br>D. Luca/Gavin: to test token and token-less data node install on a machine with a clean script install to test this. Gavin to setup the machine, and setup access. Install federation wide trust information to allow anyone in federation to test this.<br><br>3. Configurable Data Node Service to enable/disable token generation<br>A. Gavin: generate CSR on data node install, and has documentation on this. PCMDI as the specific contact for now.<br>B. Rachana to work with Gavin on the document outlining on how the admin can get the host certificate.<br><br>* GridFTP on lack of chroot turnkey solution is a blocker for next data node release.<br>* Attribute and authorization services need to be able to do mutual authentication and whitelist users. Blocker for next release.<br><br><div><div>On Aug 3, 2010, at 7:56 AM, <<a href="mailto:philip.kershaw@stfc.ac.uk">philip.kershaw@stfc.ac.uk</a>> <<a href="mailto:philip.kershaw@stfc.ac.uk">philip.kershaw@stfc.ac.uk</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div lang="EN-GB" link="blue" vlink="purple"><div class="Section1" style="page: Section1; "><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; ">Hi all,<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; ">I’ve compiled an agenda with Rachana for the call today:<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; "><a href="http://proj.badc.rl.ac.uk/go-essp/wiki/CMIP5/Meetings/telco100803" style="color: blue; text-decoration: underline; ">http://proj.badc.rl.ac.uk/go-essp/wiki/CMIP5/Meetings/telco100803</a><o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; ">There is a lot to get through, probably more than we have time for but it’s in rough order of priority so we can see how far we get.<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; ">Cheers,<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; ">Phil<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div></div><br><p>--<span class="Apple-converted-space"> </span><br>Scanned by iCritical.</p><br>_______________________________________________<br>GO-ESSP-TECH mailing list<br><a href="mailto:GO-ESSP-TECH@ucar.edu" style="color: blue; text-decoration: underline; ">GO-ESSP-TECH@ucar.edu</a><br><a href="http://mailman.ucar.edu/mailman/listinfo/go-essp-tech" style="color: blue; text-decoration: underline; ">http://mailman.ucar.edu/mailman/listinfo/go-essp-tech</a><br></div></span></blockquote></div><br><div> <span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Rachana Ananthakrishnan</div><div>Argonne National Lab | University of Chicago</div></div></span></div></span></div></span></div></span> </div><br></div></div>_______________________________________________<br>GO-ESSP-TECH mailing list<br><a href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a><br>http://mailman.ucar.edu/mailman/listinfo/go-essp-tech<br></blockquote></div><br></div></div></body></html>