myproxy server

Ivan R. Judson judson at mcs.anl.gov
Mon Sep 8 12:52:58 CDT 2003 

> At 11:26 AM 9/8/2003 -0500, Ivan R. Judson wrote:
> >I think this should be given a priority that is low; that is 
> Ti should 
> >work on other things (including OpenCA/Globus) first. While 
> the proxy 
> >certificate stuff is on our research path, it's not popping 
> up to the 
> >top -- we have other more important things that need to be 
> done first, 
> >that don't require Ti to spend cycles on this particular request.
> 
> That's interesting, it seemed in discussions last week that 
> the difficulty 
> with people getting certificates was getting significant, and 
> having a 
> myproxy server available to prototype against would be a step 
> in the path 
> toward a solution to that. It is also the next major piece of 
> certificate 
> management that needs to be tackled (the host/service cert 
> problem isn't a 
> big deal, I just need some input in how the services expect 
> to have these, 
> and the model which is expected to be used in making such 
> requests, as in a 
> multiple-machine node the request will have to be made from 
> the machine the 
> service runs on in order for the private key to land in the 
> proper location).

Right, the users expressed some concerns and difficulties about certificate
use, however, using myProxy is only one solution, and in fact, might still
require us to address the same issues that will enable non-myProxy
credentials to be sufficient for user needs. We have to analyze whether the
expressed concern and myProxy have a dependant relationship or possibly
orthogonal (development-wise).  That's why I don't think Ti spending time on
this now is beneficial to us (the AG team) or the greater FL.

> I am addressing issues related to the pieces of ag2 that last 
> I knew were 
> the only ones I'm significantly involved with: security and 
> data access. 
> The use of a myproxy server is directly associated with the 
> security side, 
> as are difficulties like the one just posted to ag-tech 
> (which has brought 
> to view a requirement for the cert request stuff I hadn't considered).

Again, I'm not sure myproxy is a required piece of technology to solve the
current problems; I think we need to discuss exactly what's going on and
what needs to be done as a group.

> I have also been researching the issues involved in more 
> coherent access to 
> data stores, including support for hierarchical 
> organizational to same 
> (which is not a trivial extension), issues in access control in that 
> environment, etc.  

This is a non-dated task according to our previous project list; how come
this is coming up now? I think the previous thing you pointed out is
significantly more important.

I think having the latest cert mgmt stuff provide the same functionality as
the 2.0 stuff is a very high priority; regardless of what we might want to
argue, once the functionality is out there, users want to use it and it's
bad form to pull it back and make it unavailable. If I'd have known we would
need to do this for the 2.1 release, we might have made other choices to
meet the timeline -- again, just a point that I need to be kept informed of
progress and status as we're developing so that we can make those decisions.

--Ivan

More information about the ag-dev mailing list