credential delegation protocol

[Patrick Dowler]

We have gone off the deep end in using X509 certficates for several projects 
here in CADC and specifically in using IVOA standards wherever possible. In the 
grid processing system we have people creating and maintaining VMs and running 
them in "the cloud". Then users wanted to  create, copy, and delete VMs and 
even share VMs with other users (eg these people can run my VM == group-read 
permission)... the easy solution was to have users store their VMs in VOSpace 
because it does all that.

However, to do that we now have other services which need to get the VM from 
the VOSpace (eg the cloud system and the VM config system we setup so users 
could boot/modify/save their VM on our side of the network) and that had to be 
done with the users credentials. We needed to have a proxy certificate/key pair 
we could use... we needed a standard way to do that from several places... we 
need a credential delegation proto... heh! Here's one right here on ivoa.net 
and it's already a standard!! 

So, first thing: thanks to GWS for being ahead of the curve :-)

Has anyone implemented CDP? in java? It seems there are many ways to do X509 
stuff wrong that still sort of work and there is more misinformation on the net 
than I thought possible. 

Also, has anyone worked with MyProxy (from NCSA) and can you explain the 
overlap of that with CDP? Could one build CDP REST bindings on top of MyProxy 
and thus get some stuff for free?
 
Anyway, we will be implementing CDP sometime soon.

-- 

Patrick Dowler
Tel/Tél: (250) 363-0044
Canadian Astronomy Data Centre
National Research Council Canada
5071 West Saanich Road
Victoria, BC V9E 2M7

Centre canadien de donnees astronomiques
Conseil national de recherches Canada
5071, chemin West Saanich
Victoria (C.-B.) V9E 2M7