Available delegation services

There are several available delegation protocols available:

  • the original GridSite Delegation Service Protocol,
  • the gLite/GridSite Delegation Service Protocol,
  • the Globus Credential Delegation Service,
  • Globus' New Delegation Service,
  • the IVOA Credential Delegation Protocol.
  • WS-Trust (an extension to WS-Security).

These are briefly discussed below.

Original GridSite Delegation Service Protocol

This protocol is document in the GridSite pages. It supports two operations: getProxyReq and putProxy. The semantics are that getProxyReq receives the public key of the newly generated proxy that the client is to sign. Once signed, the certificate is uploaded using putProxy.

The description, protocol (and, therefore, also the WSDL) has been superseded by the gLite/GridSite protocol.

gLite/GridSite protocol

The gLite/GridSite protocol extends the original GridSite protocol. There are three versions of this protocol:

  • version 1.0.0: the Original GridSite Delegation Service Protocol, supporting getProxyReq and putProxy operations. The client issues getProxyReq with an ID, the client then signs the cert. request and uploads the certificate using putProxy operation. This is essentially the same as the original GridSite Delegation Service (see above).
  • version 1.1.0: introduces the concept of a delegation session by adding: getNewProxyReq, renewProxyReq, getTerminationTime, destroy operations. Both getNewProxyReq and renewProxyReq require the client to complete the operation with the v1.0.0 putProxy operation.
  • version 2.0.0 (the latest) adds some ancillary information operations: getVersion, getInterfaceVersion, getServiceMetadata.

The semantics of these operations are described in the interface documentation.

Available implementations

There are several projects in the gLite CVS repository (:pserver:anonymous@glite.cvs.cern.ch:/cvs/glite) that provide some support for GDS or delegation.

GDS v2.0.0

These projects provide support for GDS v2.0.0

GDS v1.1.0


Globus Credential Delegation Service

This service was supplied as part of Globus Toolkit (GT) v4.0.

Globus has dropped support for their Delegation Service with GTv5.0. There is no explicit mention that they've dropped support in their release notes and the component is no longer listed.

Globus New Delegation Service

As part of their effort in moving away from GSI towards SSL/TLS, Globus will provide a new delegation service. Details are scarce at the moment, but it is anticipated that it will be RESTful.

IVOA Delegation service

Version 1.0 of the IVOA Credential Delegation Protocol is described in this page.

The AstroGrid security, delegation page describes the AstroGrid implementation, which is a Java client + server.

Here is a brief analysis from Joni Hahkala:

The IVOA protocol seems good and seems to be well defined. But it seems 
to assume the user needs just one delegation. In gridsite delegation 
there is so called delegation id which allows the user to have several 
delegations at the same time with for example different VO attributes. 
By default in our systems this id is generated and filled with hash of 
the VO attributes allowing the user to do things with different roles 
etc at the same time without the credentials getting mixed up. Otherwise 
the protocols are pretty close to eachother.


According to the standard's introduction, WS-Trust is defined as extensions to the WS-Security family that provide:

  • Methods for issuing, renewing, and validating security tokens.
  • Ways to establish assess the presence of, and broker trust relationships.

This requires deployment of the WS-Security framework. WS-Security is orthogonal to transport-level security. Instead, it secures messages uses XML Signing (XML-SIG) and XML Encryption (XML-ENC). A "light-weight" option is available WS-SecureConversation, which works on multiple messages.

WS-Security has a strongly adverse affect on performance.

A study by Francois Lascelles, Aaron Flint "WS Security Performance. Secure Conversation versus the X509 Profile" showed that using WS-SecurityConversion (XML-SIG and XML-ENC) yields some %27 of the performance using TLS and using WS-Security (XML-SIG and XML-ENC) provides %12 of the TLS performance.

-- PaulMillar - 17-Nov-2010

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r4 - 2010-11-30 - PaulMillar
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EMI All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback