Hi,
we need, as a group, to raise some proposals for how we do single-sign-on authentication in IVOA web-services.
I like the idea of using the SOAP-header based protocols from OASIS like WS-Security. I think these are going to get the best support from software authors. I dislike the idea of producing private schemes that don't work with external toolkits or with the grid. However, WS-Security et al don't give a complete, prescriptive solution; they have too many alternatives and options. We would need a profile for our use of those standards.
Enter the Basic Security Scenarios from the W/S Interoperability organization:
http://www.ws-i.org/Profiles/BasicSecurity/2004-02/SecurityScenarios-0.15-WGD.pdf
This, if I read it correctly, suggests using digital signatures (implies certficates and PKI) according to WS-Security and nonces plus timestamps (from a different bit of WS-Security) to avoid replay attacks. I'll try and digest these ideas into a possible Way That IVOA Does Things and post that later this week. In the meantime, could those who wish to debate this on-line and at the MA meeting please have a look at the WS-I document?
Thanks,
Guy
Guy Rixon gtr-at-ast.cam.ac.uk Institute of Astronomy Tel: +44-1223-337542 Madingley Road, Cambridge, UK, CB3 0HA Fax: +44-1223-337523Received on 2004-05-10Z18:54:05