(r4) SsoRFC < IVOA

IVOA Web>SsoRFC (revision 4) (raw view)~~EditAttach~~

---+ Single-Sign-On Profile: Request for Comments

This document will act as *RFC* centre for the [[http://www.ivoa.net/Documents/PR/GWS/SSOAuthMech-20070621.doc][IVOA Single-Sign-On Profile: Authentication Mechanisms]] Proposed Recommendation V1.00

Review period: 17 July 2007 to 31 August 2007

In order to add a comment to the document, please edit this page and add your comment to the list below in the format used for the example (include your TWiki.WikiName so authors can contact you for further information). When the author(s) of the document have considered the comment, they will provide a response after the comment. 

Discussions about any of the comments or responses should be conducted  on the GWS mailing list, grid@ivoa.net.

---++ Implementation details

The IVOA SSO Profile approves four mechanisms:

   * No authentication
   * Digital signature of messages
   * TLS (Transport Layer Security) with client certificates
   * TLS with passwords

The required components to support this profile are:

   * Client software for digital signature for SOAP
   * Server software for digital signature for SOAP
   * Client software for HTTPS with proxy certificates
   * Server software for HTTPS with proxy certificates

The following implementations for each component are known:

   * Digital signature for SOAP (client):
      * AstroGrid security facade + Astro Runtime
      * Caltech VOSpace secure client (using Axis WSS4J 1.5.0)

   * Digital signature for SOAP (service):
      * AstroGrid security facade + CEA app-server
      * Caltech VOSpace server

   * HTTPS + RFC3820 (proxy certificates) components (client):
      * curl
      * htcp (from GridSite)
      * globus-url-copy (from Globus Toolkit)
      * Matthew Graham's HTTPS + RFC3820 Java code

   * HTTPS + RFC3820 components (service):
      * Tomcat + GList trust-manager
      * Tomcat + AstroGrid trust-manager
      * Apache httpd + GridSite module
      * Jetty + Brun Harbulot's trust manager 

---++ Comments
   * First sample comment (by MarSierra): ...
      * Response (by _authorname_): ... 


   * This is kind of an unusual document, in that it is not a definition of a standard interface but rather more a statement of principle.  Perhaps it is not even necessary to have this as a REC.  But if the GWS WG prefers it this way, ok.  (BobHanisch)
      * It's a description of the various mechanisms that the IVOA sanctions for use in security infrastructures and how these should be used: for example, HTTPS has to support proxy certificates which is not a common use case and so requires a particular subset of the available libraries to be used. This is one reason why we have been very specific that there are multiple implementations available that support each of the technical aspects presented here. If there is another way to get IVOA approval for an IVOA policy then please let us know what it is.(MatthewGraham)

<br>
---

<br/>
<!--
      * Set ALLOWTOPICRENAME = %MAINWEB%.TWikiAdminGroup
-->

Topic revision: r4 - 2007-08-02 - MatthewGraham

IVOA

Log in or Register

IVOA.net
Wiki Home
WebChanges
WebTopicList
WebStatistics

Twiki Meta & Help
IVOA
Know
Main
Sandbox
TWiki

TWiki intro
TWiki tutorial
User registration
Notify me

Working Groups

Interest Groups

Committees

Stds&Procs

www.ivoa.net
Documents
Events
Members
XML Schema