Looks fine to me

6 posts / 0 new
Last post
Looks fine to me

This design covers the important details for the change to CILogon itself, documenting a new feature available via CILogon. It's another step forward in expanding the security features available to service/application providers.

As far as I can tell, this--by itself--won't result in any benefit to XSEDE service providers or to XSEDE users. (Unless there are XSEDE users who are using CILogon to access non-XSEDE services, of which I'm not aware.)

Specifically, this design doesn't propose making any changes to the configuration of SSH or GridFTP services to use this feature. Nor does it explain the circumstances under which those changes would be useful/desirable. If XSEDE needs this feature for enhancing the security restrictions of (some or all of) its SSH or GridFTP services, we'll need a follow-on activity to do that.

Delivery Effort Stage: 

If the result in the activity is of no benefit to XSEDE, why is there an activity at all?

Perhaps we need at least to have documented how one could assert a requirement to employ CILogon Silver versus CILogon (basic, unleaded, whatever), and how to verify use of CILogon Silver and its REFEDS attributes?

I interpreted this as one step in a series of steps toward getting to where we want to be.

The design doc says, "This enhancement adds the ability to issue higher level of assurance certificates to enable XSEDE users to authenticate to partner cyberinfrastructures (such as the European Grid Infrastructure) that require those certificates." I could add more details in the design doc about, for example, why XSEDE users from LIGO are asking us for this.

Ah, I missed that. I do think it would be a good idea to mention a specific example. The LIGO one sounds perfect.

Here's the use case text I've added to v1.1 of the design doc in Section B:

This enhancement adds the ability to issue higher level of assurance certificates to enable XSEDE users to authenticate to partner cyberinfrastructures (such as the European Grid Infrastructure) that require those certificates. Currently our most urgent use case for this capability is to support LIGO computing, which relies on both XSEDE and EGI resources. With the retirement of the OSG CA (an IGTF Classic CA), LIGO users have migrated to using certificates from the CILogon Basic CA and have found that their certificates are rejected at EGI resources (e.g., the CVMFS server at NIKHEF). Enabling LIGO users to obtain certificates from the CILogon Silver CA restores their access to these EGI resources.

Log in to post comments