[Go-essp-tech] Agenda for Security Telco Today

Wed Aug 4 05:45:44 MDT 2010

Thanks Rachana.  I’ve copied them on to the wiki page:

http://proj.badc.rl.ac.uk/go-essp/wiki/CMIP5/Meetings/telco100803#NotesandActions

I’ve made some additions from my notes and I’ve highlighted actions.  

*Please all who were on the call check these actions*

Cheers,

Phil

From: Rachana Ananthakrishnan [mailto:ranantha at mcs.anl.gov] 
Sent: 03 August 2010 18:23
To: Kershaw, Philip (STFC,RAL,SSTD)
Cc: go-essp-tech at ucar.edu
Subject: Re: [Go-essp-tech] Agenda for Security Telco Today

Sharing my notes from the call.

Rachana

Gateway Release

1. Federation-wide Trust Root Management
A. Neill to send email to go-essp requesting for certiifcate
B. Input from Eric on where in a Gateway install you should pick up MyProxy CA and the OpenID trustroots
C. All Gateway and Data node owners to send the trust roots
D. Neill generates document with tar.gz and Java trust root

2. Gateway Attribute Service
A. Luca to respond on feasibility to assert a whitelist
B. Nathan H to work on Gateway to attribute service call use certificate for SSL handshake
C. Eric: PCMDI deployment does not validate client and all connections should be mutually authentication
D. Eric: PCMDI deployment did not return any attribute results
E. (?) PCMDI registration request was not unanswered. This needs to be changed to be automated.
F. (?) Registration currently is automatically approved, and if you know the confirmation URI, the approval can be spoofed.

3. Gateway SAML Authorization Service
A. Luca has tested AuthZ service at NASA, which is latest code
B. Data node filter updates need to be absorbed for deployment

4. Gateway WGet Scripts
A. Eric making progress on this, on target
B. Phil to follow-up on the wget parameters needed
C. Call to discuss the VeriSign keystore issue (Phil, Rachana, Gavin)

Data Node Release

1. Data Node Authentication/Authorization
A. SAML one has low priority. Use cases where we need the user attributes via the certificates, since the core attributes are pushed via OpenID, but not via PKI.
B. RP with email in cookie, not resolved for now
C. Next release: code development is done, needs script integration and installation (Stephen, Gavin & Luca)
D. Luca/Gavin: to test token and token-less data node install on a machine with a clean script install to test this. Gavin to setup the machine, and setup access. Install federation wide trust information to allow anyone in federation to test this.

3. Configurable Data Node Service to enable/disable token generation
A. Gavin: generate CSR on data node install, and has documentation on this. PCMDI as the specific contact for now.
B. Rachana to work with Gavin on the document outlining on how the admin can get the host certificate.

* GridFTP on lack of chroot turnkey solution is a blocker for next data node release.
* Attribute and authorization services need to be able to do mutual authentication and whitelist users. Blocker for next release.

On Aug 3, 2010, at 7:56 AM, <philip.kershaw at stfc.ac.uk> <philip.kershaw at stfc.ac.uk> wrote:

Hi all,

I’ve compiled an agenda with Rachana for the call today:

http://proj.badc.rl.ac.uk/go-essp/wiki/CMIP5/Meetings/telco100803

There is a lot to get through, probably more than we have time for but it’s in rough order of priority so we can see how far we get.

Cheers,

Phil

-- 
Scanned by iCritical.

_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://mailman.ucar.edu/mailman/listinfo/go-essp-tech

Rachana Ananthakrishnan

Argonne National Lab | University of Chicago

-- 
Scanned by iCritical.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ucar.edu/pipermail/go-essp-tech/attachments/20100804/572b73ca/attachment-0001.html 