On Sep 26, 2014, at 10:02 AM, Andrew Hanushevsky <[log in to unmask]> wrote:
> Hi Brian,
>
> The rendezvous key is exactly that -- it allows two authenticated agents to rendezvous on a copy request. Both have to be authenticated. I can't comment on the security aspects of the GridFTP method but allowing an unauthenticated agent to rendezvous is asking for trouble since a black hat could potentially spoof/steal the rendezvous key and leave few, if any, tracks. The method employed by xroot makes it nearly impossible to do that.
I think I'm missing something. My understanding are *three* authenticated agents:
1) Client authenticates with server A
2) Client authenticates with server B
3) Server B authenticates with server A
So, I need some external method for bootstrapping authentication for server B *independent of the client*. Or, perhaps more simply, I misunderstood your email ;)
GridFTP is secure because server B is told by the client the CA and DN to trust for the connection to server A. There's no opportunity to steal / spoof the key because it relies on GSI and SSL (of course, you get the normal caveats - if someone has stolen server A's certificate, broken SSL, etc).
>
> As for a custom cms client, I don't see why that is necessary but then again I don't know the context all that well. All I know is that xrdcp works fine doing TPC and is used by FTS a lot.
>
I'm assuming EOS writes via POSIX into the local filesystem and doesn't need a N2N mapping?
Brian
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|