Available delegation services
There are several available delegation protocols available:
- the original GridSite Delegation Service Protocol,
- the gLite/GridSite Delegation Service Protocol,
- the Globus Credential Delegation Service,
- Globus' New Delegation Service,
- the IVOA Credential Delegation Protocol.
- WS-Trust (an extension to WS-Security).
These are briefly discussed below.
Original GridSite Delegation Service Protocol
This protocol is
document in the GridSite pages. It supports two operations:
getProxyReq
and
putProxy
. The semantics are that
getProxyReq
receives the public key of the newly generated proxy that the client is to sign. Once signed, the certificate is uploaded using
putProxy
.
The description, protocol (and, therefore, also the WSDL) has been superseded by the gLite/GridSite protocol.
gLite/GridSite protocol
The gLite/GridSite protocol extends the original GridSite protocol. There are three versions of this protocol:
- version 1.0.0: the Original GridSite Delegation Service Protocol, supporting
getProxyReq
and putProxy
operations. The client issues getProxyReq
with an ID, the client then signs the cert. request and uploads the certificate using putProxy
operation. This is essentially the same as the original GridSite Delegation Service (see above).
- version 1.1.0: introduces the concept of a delegation session by adding:
getNewProxyReq
, renewProxyReq
, getTerminationTime
, destroy
operations. Both getNewProxyReq
and renewProxyReq
require the client to complete the operation with the v1.0.0 putProxy
operation.
- version 2.0.0 (the latest) adds some ancillary information operations:
getVersion
, getInterfaceVersion
, getServiceMetadata
.
The semantics of these operations are described in
the interface documentation.
Available implementations
There are several projects in the
gLite CVS repository (
:pserver:anonymous@glite.cvs.cern.ch:/cvs/glite
) that provide some support for GDS or delegation.
GDS v2.0.0
These projects provide support for GDS v2.0.0
GDS v1.1.0
Unknown
Globus Credential Delegation Service
This service was supplied as part of Globus Toolkit (GT) v4.0.
Globus has dropped support for their Delegation Service with GTv5.0. There is no explicit mention that they've dropped support in their
release notes and the component is no longer listed.
Globus New Delegation Service
As part of their effort in moving away from GSI towards SSL/TLS, Globus will provide a new delegation service. Details are scarce at the moment, but it is anticipated that it will be RESTful.
IVOA Delegation service
Version 1.0 of the IVOA Credential Delegation Protocol is described in
this page.
The
AstroGrid security, delegation page describes the AstroGrid implementation, which is a Java client + server.
Here is a brief analysis from Joni Hahkala:
The IVOA protocol seems good and seems to be well defined. But it seems
to assume the user needs just one delegation. In gridsite delegation
there is so called delegation id which allows the user to have several
delegations at the same time with for example different VO attributes.
By default in our systems this id is generated and filled with hash of
the VO attributes allowing the user to do things with different roles
etc at the same time without the credentials getting mixed up. Otherwise
the protocols are pretty close to eachother.
WS-Trust
According to the standard's introduction,
WS-Trust is defined as extensions to the
WS-Security family that provide:
- Methods for issuing, renewing, and validating security tokens.
- Ways to establish assess the presence of, and broker trust relationships.
This requires deployment of the WS-Security framework. WS-Security is orthogonal to transport-level security. Instead, it secures messages uses XML Signing (XML-SIG) and XML Encryption (XML-ENC). A "light-weight" option is available WS-SecureConversation, which works on multiple messages.
WS-Security has a strongly adverse affect on performance.
A study by Francois Lascelles, Aaron Flint "WS Security Performance. Secure Conversation versus the X509 Profile" showed that using WS-SecurityConversion (XML-SIG and XML-ENC) yields some %27 of the performance using TLS and using WS-Security (XML-SIG and XML-ENC) provides %12 of the TLS performance.
--
PaulMillar - 17-Nov-2010