[Go-essp-tech] Agenda for Security Telco Today

Cinquini, Luca (3880) Luca.Cinquini at jpl.nasa.gov
Tue Aug 3 17:15:29 MDT 2010 

Hi Rachana,
to reply to point 2.A below: it turns out that establishing mutual authentication between a client and the Attribute/Authorization service, and having white-listing, is not that difficult, and infact the latest
version of the esg-saml code (1.2.2) has working examples on how to do that. What would be the best way to integrate this into the gateway ?
Maybe posting the artifacts and the full source code into the ESGF repo @ PCMDI ? Or having a branch of the gateway cut out that we can deploy and experiment with ?

thanks, Luca

On Aug 3, 2010, at 11:22 AM, Rachana Ananthakrishnan wrote:

Sharing my notes from the call.

Rachana

Gateway Release

1. Federation-wide Trust Root Management
A. Neill to send email to go-essp requesting for certiifcate
B. Input from Eric on where in a Gateway install you should pick up MyProxy CA and the OpenID trustroots
C. All Gateway and Data node owners to send the trust roots
D. Neill generates document with tar.gz and Java trust root

2. Gateway Attribute Service
A. Luca to respond on feasibility to assert a whitelist
B. Nathan H to work on Gateway to attribute service call use certificate for SSL handshake
C. Eric: PCMDI deployment does not validate client and all connections should be mutually authentication
D. Eric: PCMDI deployment did not return any attribute results
E. (?) PCMDI registration request was not unanswered. This needs to be changed to be automated.
F. (?) Registration currently is automatically approved, and if you know the confirmation URI, the approval can be spoofed.

3. Gateway SAML Authorization Service
A. Luca has tested AuthZ service at NASA, which is latest code
B. Data node filter updates need to be absorbed for deployment

4. Gateway WGet Scripts
A. Eric making progress on this, on target
B. Phil to follow-up on the wget parameters needed
C. Call to discuss the VeriSign keystore issue (Phil, Rachana, Gavin)

Data Node Release

1. Data Node Authentication/Authorization
A. SAML one has low priority. Use cases where we need the user attributes via the certificates, since the core attributes are pushed via OpenID, but not via PKI.
B. RP with email in cookie, not resolved for now
C. Next release: code development is done, needs script integration and installation (Stephen, Gavin & Luca)
D. Luca/Gavin: to test token and token-less data node install on a machine with a clean script install to test this. Gavin to setup the machine, and setup access. Install federation wide trust information to allow anyone in federation to test this.

3. Configurable Data Node Service to enable/disable token generation
A. Gavin: generate CSR on data node install, and has documentation on this. PCMDI as the specific contact for now.
B. Rachana to work with Gavin on the document outlining on how the admin can get the host certificate.

* GridFTP on lack of chroot turnkey solution is a blocker for next data node release.
* Attribute and authorization services need to be able to do mutual authentication and whitelist users. Blocker for next release.

On Aug 3, 2010, at 7:56 AM, <philip.kershaw at stfc.ac.uk<mailto:philip.kershaw at stfc.ac.uk>> <philip.kershaw at stfc.ac.uk<mailto:philip.kershaw at stfc.ac.uk>> wrote:

Hi all,

I’ve compiled an agenda with Rachana for the call today:

http://proj.badc.rl.ac.uk/go-essp/wiki/CMIP5/Meetings/telco100803

There is a lot to get through, probably more than we have time for but it’s in rough order of priority so we can see how far we get.

Cheers,
Phil



--
Scanned by iCritical.

_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu<mailto:GO-ESSP-TECH at ucar.edu>
http://mailman.ucar.edu/mailman/listinfo/go-essp-tech

Rachana Ananthakrishnan
Argonne National Lab | University of Chicago

_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu<mailto:GO-ESSP-TECH at ucar.edu>
http://mailman.ucar.edu/mailman/listinfo/go-essp-tech

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ucar.edu/pipermail/go-essp-tech/attachments/20100803/076740db/attachment.html

More information about the GO-ESSP-TECH mailing list