Changes between Version 3 and Version 4 of MashMyData


Ignore:
Timestamp:
05/07/10 13:44:42 (9 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • MashMyData

    v3 v4  
    1717 1. [http://www.ietf.org/rfc/rfc3820.txt Proxy certificates]: There are different ways of implementing this: 
    1818   i. [wiki:MashMyData/MyProxy MyProxy Based]: use [http://grid.ncsa.illinois.edu/myproxy/ MyProxy] as a credential store.  The portal uploads a user credential to (a) !MyProxy server(s) which services can access on the users behalf and use to obtain delegated user credentials in order to access other secured services.  - Service A, is trusted by the !MyProxy server C.  Before accessing service B, it requests a delegated user credential from C.  It uses the user credential to access service B. 
    19    i. Without !MyProxy: the principle of services obtaining delegated credentials remains the same but there is no !MyProxy server to acts as a broker of user credentials 
    20    * '''Pros''': Well tried and tested solution in the Grid community, enables integration with other Grids.  ESG Security already supports PKI based authentication, but, 
    21    * '''Cons''': Currently no ESG Java implementation to support authentication using proxy certificates.  A filter would need to be implemented.  CEDA's Python implementation ''does'' already support proxy certificates. 
    22  1. OAuth: 
     19   i. Without !MyProxy: the principle of services obtaining delegated credentials remains the same but there is no !MyProxy server to acts as a broker of user credentials.  The [IVOA Credential Delegation Model http://www.ivoa.net/Documents/CredentialDelegation/] provides an elegant RESTful interface for brokering proxy credentials between services in a workflow. 
     20   * '''Pros''': Well tried and tested solution in the Grid community, enables integration with other Grids.  ESG Security already supports PKI based authentication, but ... 
     21   * '''Cons''':  
     22    a. Currently no ESG Java implementation to support authentication using proxy certificates.  A filter would need to be implemented.  CEDA's Python implementation ''does'' already support proxy certificates. 
     23    a. An additional sign in step may be required at the portal in order to obtain a credential from a !MyProxy server.  Non-ESG Federation users would need to register with a !MyProxy server. 
     24    a. For the !Myproxy based solution, there is a service discovery problem: how does the Portal know which !MyProxy server to upload credentials to and how do delegates know which !MyProxy server to callout to to get a delegated credential. 
     25 1. [http://oauth.net/ OAuth]:  
     26   * '''Pros''': 
     27    a. No need to re-authenticate as with !MyProxy based solution. 
     28    a. No need for custom PKI interfaces to support Proxy certificates. 
     29    a. No service discovery problem.  OAuth protocol allows required information to be passed in tokens. 
     30    a. Python and Java libraries available 
     31   * '''Cons''': 
     32    a. untried in this scenario but [http://portal.opengeospatial.org/files/?artifact_id=35461 OGC OWS-6 testbed] demonstrated a RESTful interface with delegation based on OpenID and OAuth. 
     33    a. User approval interface required with perhaps a registry of approved delegates.  User approval will need to be out of band of HTTP so some other communication mechanism is required.  e-mail, SMS or chat protocol would work but are these secure enough? 
    2334 
    2435