Single-Sign-On Profile: Request for Comments

This document will act as RFC centre for the IVOA Single-Sign-On Profile: Authentication Mechanisms Proposed Recommendation V1.00

Review period: 17 July 2007 to 31 August 2007

In order to add a comment to the document, please edit this page and add your comment to the list below in the format used for the example (include your WikiName so authors can contact you for further information). When the author(s) of the document have considered the comment, they will provide a response after the comment.

Discussions about any of the comments or responses should be conducted on the GWS mailing list, grid@ivoa.net.

Implementation details

The IVOA SSO Profile approves four mechanisms:

• No authentication
• Digital signature of messages
• TLS (Transport Layer Security) with client certificates
• TLS with passwords

The required components to support this profile are:

• Client software for digital signature for SOAP
• Server software for digital signature for SOAP
• Client software for HTTPS with proxy certificates
• Server software for HTTPS with proxy certificates

The following implementations for each component are known:

• Digital signature for SOAP (client):
  • AstroGrid security facade + Astro Runtime
  • Caltech VOSpace secure client (using Axis WSS4J 1.5.0)

• Digital signature for SOAP (service):
  • AstroGrid security facade + CEA app-server
  • Caltech VOSpace server

• HTTPS + RFC3820 (proxy certificates) components (client):
  • curl
  • htcp (from GridSite)
  • globus-url-copy (from Globus Toolkit)
  • Matthew Graham's HTTPS + RFC3820 Java code

• HTTPS + RFC3820 components (service):
  • Tomcat + GList trust-manager
  • Tomcat + AstroGrid trust-manager
  • Apache httpd + GridSite module
  • Jetty + Brun Harbulot's trust manager

Comments

• First sample comment (by MarSierra): ...
  • Response (by authorname): ...