[Pgi-wg] Sec: Agreement on attribute transportmechanismsforAttrAuthZ
j.jensen.ral at googlemail.com
Mon Mar 23 03:42:37 CDT 2009
2009/3/20 weizhong qiang <weizhongqiang at gmail.com>:
> On Fri, Mar 20, 2009 at 3:00 PM, <m.riedel at fz-juelich.de> wrote:
> Basically the globus implementation if GSSAPI is about a specific
> context-initiation negotiation, and some data-padding for initiation and
> data-transferring. Also you can accomplish proxy-delegation via it.
> What is for sure is that you can not use client based on normal TLS to talk
> with service which is based on GSSAPI, or vice versa.
> AFAIK, There is some grid service (WS compliant) such as some SRM service
> which uses GSSAPI. (SOAP + HTTP + GSS).
Some years since I last looked at it in detail but IIRC GSSAPI (RFC2743) is just
a mechanism for establishing security contexts - if you get these
bytes then send
this, etc. Presumably normal TLS can be implemented via GSSAPI as well, see
eg section 5.3 of the RFC
Someone once told me Globus had to deviate from the standard GSSAPI
to implement GSI. If this is true then it's worth documenting, no?
Again long time ago I experimented with the Globus module for GSI and
the lower level Globus GSSAPI. At the time they did not interoperate :-)
Had some discussions with Aleksandr at the time.
More information about the Pgi-wg