perfsonar development work

[Cándido Rodríguez Montes <>]

Hi all,

I've been thinking about how clients must send security tokens to a perfSONAR Resource (pSR) and I think the best option is to use the X.509 and SAML profiles of Web Service Security (WS-SEC) [1], both are an standard of OASIS.

Last weeks, we've talked in some phone conversations if we must use TLS or WS-SEC. IMHO, we must use only WS-SEC for authorization purposes. I think TLS is necessary for protecting the communications between clients and servers (we agree the communications MUST be encrypted), but it doesn't fulfill all requirements of the Authorization Service specification. So, Why do I think WS-SEC is the best option for us?

1. We have two types of security tokens: X.509 certificates and SAML assertions. Obviously, we cannot send SAML assertions through TLS. So we need another technology and WS-SEC is an option.

2. If we use WS-SEC for SAML assertions and WS-SEC fulfills all requirements of the Authorization Service (AS) specification, I think it doesn't make sense to use only a part of the WS-SEC specification. 

3. We've been talking about to use the same certificate for TLS and WS-SEC. I think the certificate used by client and application server is not relevant for the AS.

4. It's a decision of the pSR to send an authorization to the AS for a request, so maybe there are requests which don't need any authorization to send the answer. And in this case, we need TLS for encrypting communications between client and pSR but the certificate used for that purpose is not a security token, and maybe it's not a certificate from eduGAIN.

I've CCed this email to Diego López, who can tell us what's his feeling about this topic.

Regards

[1] http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

--

Cándido Rodríguez Montes E-mail: 

Red.ES/RedIRIS Tel:+34 955 05 66 13

Edificio CICA

Avenida Reina Mercedes, s/n

41012 Sevilla

SPAIN