perfsonar-dev - Re: [pS-dev] [Security Update] New version of perfSONAR base
Subject: perfsonar development work
List archive
- From: "Michael Bischoff" <>
- To: Cándido Rodríguez Montes <>
- Cc: "Ralf Kleineisel" <>, "Nina Jeliazkova" <>, "Perfsonar Development" <>
- Subject: Re: [pS-dev] [Security Update] New version of perfSONAR base
- Date: Wed, 5 Mar 2008 12:12:00 +0100 (CET)
- Importance: Normal
> Hi Ralf,
>
>
> El 03/03/2008, a las 14:03, Ralf Kleineisel escribió:
>
>
>> Hi,
>>
>>
>> Cándido Rodríguez Montes wrote:
>>
>>
>>> I've just uploaded a new version of perfsonar-base and
>>> perfsonar-base-ac_authn (20080303) which does a workaround about the
>>> timestamp.
>>
>> I don't see the point of that timestamp function at all.
>>
>>
>> There are so many security sensitive applications like ssh, ssl and
>> none of them relies on the computer's clock.
>
> Yes, that's true. They are in other scenarios and they don't need the
> timestamp.
actually most secure websites start having all kinds of issues if you put
your clock a year or so back. But isn't the timestamp of the client only
useful to identity that the service is who he said it is. As for
authenticating against the AS shouldn't the timestamp be provisioned by
the Soap service? In other words if the AS and the Soapservice have the
right clock but the client hasn't the client should only have issues,
which the user can choose to ignore. But if I followed things right the
issue occurs on the Soapservice?
>>
>> If you need secure perfSONAR: Why don't you simply tunnel it
>> through an ssl tunnel? Why invent the wheel once again?
you'd have a logistics problem, how are you going to provision the
services with allowed credentials. Ssl would only ensure a secure
connection which is only a part of the mechanism needed. About reinventing
the wheel both ssl and the system currently employed both build upon
X.509.
>
> Sorry but I disagree. In fact we're not securing perfSONAR, but we've
> building an authentication and authorization infrastructure in it and
> integrating into a multi-domain federation (called confederation by JRA5).
> And, for that purpose, we're using the available standards for
> securing web services, as perfSONAR is based on SOAP web services. The
> timestamp is also recommended in that standard for enforcing the security
> of security tokens, so I think we should use it.
>
> Regards
>
>
>>
>> Best regards
>>
>>
>> Ralf
>>
>>
Kind regards,
Michael Bischoff
>
> --
> Cándido Rodríguez Montes E-mail:
>
> Middleware warrior Tel:+34 955 05 66 13
> Red.ES/RedIRIS
> Edificio CICA
> Avenida Reina Mercedes, s/n
> 41012 Sevilla
> SPAIN
>
>
>
>
>
>
- Re: [pS-dev] [Security Update] New version of perfSONAR base, Cándido Rodríguez Montes, 03/03/2008
- Re: [pS-dev] [Security Update] New version of perfSONAR base, Ralf Kleineisel, 03/03/2008
- Re: [pS-dev] [Security Update] New version of perfSONAR base, Cándido Rodríguez Montes, 03/04/2008
- Re: [pS-dev] [Security Update] New version of perfSONAR base, Michael Bischoff, 03/05/2008
- Re: [pS-dev] [Security Update] New version of perfSONAR base, Cándido Rodríguez Montes, 03/04/2008
- Re: [pS-dev] [Security Update] New version of perfSONAR base, Joe Metzger, 03/03/2008
- Re: [pS-dev] [Security Update] New version of perfSONAR base, Cándido Rodríguez Montes, 03/04/2008
- Re: [pS-dev] [Security Update] New version of perfSONAR base, Ralf Kleineisel, 03/03/2008
Archive powered by MHonArc 2.6.16.