No subject
Guy Rixon
gtr at ast.cam.ac.uk
Mon May 10 09:53:05 PDT 2004
Hi,
we need, as a group, to raise some proposals for how we do single-sign-on
authentication in IVOA web-services.
I like the idea of using the SOAP-header based protocols from OASIS like
WS-Security. I think these are going to get the best support from software
authors. I dislike the idea of producing private schemes that don't work with
external toolkits or with the grid. However, WS-Security et al don't give a
complete, prescriptive solution; they have too many alternatives and options.
We would need a profile for our use of those standards.
Enter the Basic Security Scenarios from the W/S Interoperability organization:
http://www.ws-i.org/Profiles/BasicSecurity/2004-02/SecurityScenarios-0.15-WGD.pdf
This, if I read it correctly, suggests using digital signatures (implies
certficates and PKI) according to WS-Security and nonces plus timestamps (from
a different bit of WS-Security) to avoid replay attacks. I'll try and digest
these ideas into a possible Way That IVOA Does Things and post that later this
week. In the meantime, could those who wish to debate this on-line and at the
MA meeting please have a look at the WS-I document?
Thanks,
Guy
Guy Rixon gtr at ast.cam.ac.uk
Institute of Astronomy Tel: +44-1223-337542
Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523
More information about the grid
mailing list