[gridshib-user] Some questions about GridShib

[Von Welch]

Hi Benjamin,

I'll do my best to answer your questions. A little context - most
of our development is currently project-driven (TeraGrid), which has
been very focused on GridShib for Globus Toolkit (GS4GT) and
GridShib SAML Tools (GS-ST) to support Science Gateways.
The GridShibCA (GS-CA) has been on the backburner for a while, in
large part because we're looking for someone willing to either help
fund its development or contribute. Until then, its progress is a
little unpredictable as its a best effort, spare time process. So my
answers will be honest, but perhaps not as fulfilling as you would like.

Benjamin Henne wrote:
> Hi gridshib-user,
> 
> maybe you can answer me some questions concerning current state 
> of GridShib.
> 
> Have the current releases been tested with the Shibboleth IdP 
> 2.0? Are they working with SAML1 of the new IdP? What about 
> support of SAML2 in the different pieces of software, especially
>  GridShibCA and SAML Tools?

There is no support for SAML2 and Shib 2.0 at this time. It's
something we definitely want, but will be a big step we're trying to
muster resources for. Requests from the community haven't been
overwhelming, if you have a clear need, please elaborate.

> Can you make a rough estimate about the next release of 
> GridShibCA? What parts of GridShib will be updated next after 
> SAML Tools 0.5.0 and upcoming GS4GT 0.6.1? The roadmap is not 
> totally up-to-date.

You will probably continue to see most of the effort put into GS4GT
and GS-ST. I suspect you are wanting to know about GS-CA support for
Shib 2.0 and my previous answer applies.

> What about GridShibCA and CRL? I noted that the new profile for 
> SLCS managed by the TAGPMA (version 2.1) states CRL as a must and
>  not as could have anymore?

The GridShibCA can issue CRLs just like any other CA. Typically most
SLCS's issue empty CRLs and there is no reason why the GS-CA
couldn't do that. It also logs all the certificates it issues so you
could revoke certificates if you wanted to. Granted we could add
some code to make this easier, but its certainly possible today.

> In general I would like to know if it's one of GridShibs aims to
>  conform to this profile. I think it needs to to be used within 
> productive Grid environments?

Yes, we're hoping to work with MyProxy in general in making sure
both SLCS implementations conform.

> Using current GridShib releases, is it possible to separate the 
> CA backend and the web front-end? If not, do you plan to simplify
>  this? I guess this separation is needed to conform to the SLCS 
> profile?

Yes. You can use MyProxy as the back end. This means the CA itself
can be on a different server from the web front-end and could even
leverage MyProxy's ability to use a HSM (using an HSM is advanced
usage and not for the faint at heart). For details see:

http://gridshib.globus.org/docs/gridshib-ca-0.5.1/myproxy-ca.html

Hope that helps,

Von

> Thanks and regards, Benjamin
> 
>