GWS-WG agenda and meeting goalsAgenda • Summary of reference implementations • VOStore progress • VOStore issues and plans

– How to reconcile VOStore and VOSpace? – Does the DIME attachment method really work?

• VO basic profile • Security progress

– NVO progress (M. Graham: presentation) – EuroVO progress

• Security issues – Updated thoughts on certificate authorities – How to encode group attributes? – Details of delegation interface. – What community services do we need?

• Presentation: Italian work with Grid• Universal Worker Service: needed by other groups?

– Theory group – NVO/opticon s/w environment

Reference implementations• VOSI

– Caltech– JHU?– (AstroGrid)

• VOStore– AstroGrid– Caltech– ESO– JHU

• SSO– JHU– NCSA (including community services)– ESO– AstroGrid

• Any others?

VOStore/VOSpace issue

• Original plan: VOStore in 2005; VOSpace later– => independently accessible VOStore– => more function in VOStore than needed with

VOSpace– => allows v1.0 PR ~ December 2005

• Do we still want to do this?– Could we delay VOStore to wait for VOSpace?

• How much function does VOStore need to be independent?– How to handle naming of files?– Can we handle file sharing?– Can we handle groups?

VOStore DIME issue

• VOStore v0.18 says DIME is mandatory

• DIME implementations suck

• DIME is obsolete anyway (c.f. MTOM)

• Do we want to keep DIME in VOStore?

• If not, what replaces it?

Security componentsCommunity

services

Credential

cache

Client

application

A SOAPService

MyProxy SAMLLocalProxy

Digital Signature

Digital Signature

Delegation

Another

SOAP Service

Delegation

An HTTPS

service

TLS

Security issues: group attributes

• Several ways to encode “user x belongs to group y”:– SAML attributes in SOAP header (“push”)– SAML authority service in community (“pull”)– SAML in user id certificate (“push”)– Extra attribute certificates (“push” or “pull”)– Any others?

• Which?• Can we defer the decision until SSO v2?

Security issues: community services

• What services are to be IVOA standard?

• MyProxy

• SAML?

• Standard sign-on service?– UI, so need not be fully standard

Security issues: CAs

EuroVO CA

ESA CA

Sign

Sign

VO service

ESA user

Grid service

Grid CA

Sign

VO service

ESA user

Grid service

Security issues: delegation• Need delegation interface on SOAP services.

– Delegating client signs proxy credential for service receiving delegation

– One SOAP method to get unsigned credential– Another SOAP method to send signed credential– Precedes secured method(s)– OK?

• Similar with HTTPS– OK?