Thursday, June 5, 2008


Among the core services that have served multiple grids for years are the information systems, grid authentication, and more recently parts of the authorisation infrastructure. For information systems, GLUE 2.0 is now getting very real, with proposed implementations of the schema in not just traditional LDAP, but also XML and SQL. As it's traditionally used for resource selection and publishing accounting information, the new schema and its implementations should extend the way we can use it.
For authentication we have the equally traditional PKI (Public Key Infrastructure) in the form of the global network of peer certification authories; among the topics discussed in CAOPS is how some services identified by certificates are more equal to others. If you have an attribute authority issuing assertions, then it's not a host or a person, and its signing key should be protected better than a normal hostkey - perhaps also backed up better, with implementations to split the key between, er, key masters.
Authorisation have started talking about using SAML, signed assertions, instead of the more traditional attribute certificates (remember, it's all an experimental science). SAML poses new challenges for the interoperability folks because it's a "new" way of doing the same thing (ie distributing attribute tokens), but SAML opens new possibilities also for interoperation. We have started looking at interoperation, policies, and operations for attribute authorities in several OGF groups; a common baseline will promote interoperation further.
It's all very technical of course and sometimes it feels like medieval philosophers arguing about angels dancing on the head of a pin. But that's part of the fun.

No comments: