SRMSEC: migration from GSI to TLS/SSL

Currently, SRM software uses the proprietary GSI security protocol. This was developed by the Globus Alliance and was based on the existing SSL standard. Support for this protocol is available only from Globus. With the standardisation of proxy certificates, SSL libraries began to support delegated proxy. This meant that many of the operations provided by SRM (those that do not require delegation) may be made available using SSL rather than GSI, and using standard libraries. Remaining open is how to handle those operations that require the server to have a delegated certificate.

This activity is to migrate deployed storage element software from using SRM that supports only GSI to software that supports clients using the SSL/TLS protocol. As described in the Description of Work, there are a number of steps to achieve this:

1. Describe how SRM over SSL should work,
2. Creating one prototype SE and one client,
3. All EMI Storage Elements plus EMI clients adopt plan,
4. Design a migration strategy,
5. Enact the strategy.

Related activity

There is activity in EMI JRA1.x (security) about migration from GSI to SSL.

Design documents

There is:

• a list of delegation services.
• 1st straw man design an obsolete idea of how SRM would work over SSL.
• SRM-over-SSL describes how SRM works over SSL.
• a list of open questions. This list should shrink over time.
• a list of agreed behaviour. This list should grow over time.

Meetings

There was a face-to-face in EGI Technical Forum, Amsterdam (2010-09-16).

Phone meetings:

• 2011-01-14.

-- PaulMillar - 04-Oct-2010