[Go-essp-tech] Agenda for Security Telco Today

Rachana Ananthakrishnan ranantha at mcs.anl.gov
Tue Aug 3 11:22:33 MDT 2010 

Sharing my notes from the call.

Rachana

Gateway Release

1. Federation-wide Trust Root Management
A. Neill to send email to go-essp requesting for certiifcate
B. Input from Eric on where in a Gateway install you should pick up  
MyProxy CA and the OpenID trustroots
C. All Gateway and Data node owners to send the trust roots
D. Neill generates document with tar.gz and Java trust root

2. Gateway Attribute Service
A. Luca to respond on feasibility to assert a whitelist
B. Nathan H to work on Gateway to attribute service call use  
certificate for SSL handshake
C. Eric: PCMDI deployment does not validate client and all connections  
should be mutually authentication
D. Eric: PCMDI deployment did not return any attribute results
E. (?) PCMDI registration request was not unanswered. This needs to be  
changed to be automated.
F. (?) Registration currently is automatically approved, and if you  
know the confirmation URI, the approval can be spoofed.

3. Gateway SAML Authorization Service
A. Luca has tested AuthZ service at NASA, which is latest code
B. Data node filter updates need to be absorbed for deployment

4. Gateway WGet Scripts
A. Eric making progress on this, on target
B. Phil to follow-up on the wget parameters needed
C. Call to discuss the VeriSign keystore issue (Phil, Rachana, Gavin)

Data Node Release

1. Data Node Authentication/Authorization
A. SAML one has low priority. Use cases where we need the user  
attributes via the certificates, since the core attributes are pushed  
via OpenID, but not via PKI.
B. RP with email in cookie, not resolved for now
C. Next release: code development is done, needs script integration  
and installation (Stephen, Gavin & Luca)
D. Luca/Gavin: to test token and token-less data node install on a  
machine with a clean script install to test this. Gavin to setup the  
machine, and setup access. Install federation wide trust information  
to allow anyone in federation to test this.

3. Configurable Data Node Service to enable/disable token generation
A. Gavin: generate CSR on data node install, and has documentation on  
this. PCMDI as the specific contact for now.
B. Rachana to work with Gavin on the document outlining on how the  
admin can get the host certificate.

* GridFTP on lack of chroot turnkey solution is a blocker for next  
data node release.
* Attribute and authorization services need to be able to do mutual  
authentication and whitelist users. Blocker for next release.

On Aug 3, 2010, at 7:56 AM, <philip.kershaw at stfc.ac.uk> <philip.kershaw at stfc.ac.uk 
 > wrote:

> Hi all,
>
> I’ve compiled an agenda with Rachana for the call today:
>
> http://proj.badc.rl.ac.uk/go-essp/wiki/CMIP5/Meetings/telco100803
>
> There is a lot to get through, probably more than we have time for  
> but it’s in rough order of priority so we can see how far we get.
>
> Cheers,
> Phil
>
>
> -- 
> Scanned by iCritical.
>
>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech

Rachana Ananthakrishnan
Argonne National Lab | University of Chicago

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ucar.edu/pipermail/go-essp-tech/attachments/20100803/0a410377/attachment-0001.html

More information about the GO-ESSP-TECH mailing list