Hi all,
To follow up on this, I just received this link from Ingo describing a
blog post about this topic:
http://blogs.sun.com/andreas/entry/no_more_unable_to_find
This describes a small java program that can do the following:
1. Given a domain / network address, download the corresponding
certificate(s).
2. Allow the user to inspect the certificate after which the user can
choose to accept or reject it.
Hence this is basically the behaviour similar to what most web
browsers do and what we would want. The only difference is that this
tool interacts with the user on the commandline and in Taverna you
would want a popup window or something similar, but it's open source,
so it's easy to see how it's done and you might borrow a few lines of
code :)
Cheers,
Pi
On 19 Jan 2009, at 15:54, Pieter Neerincx wrote:
> On 19 Jan 2009, at 01:32, Tom Oinn wrote:
>
>> Pieter Neerincx wrote:
>>
>> <snip>
>>
>>> To be honest that still doesn't sound very attractive to me. Current
>>> situation per SSL-secured server: import certificate once and run
>>> many
>>> different activities in many different workflows. Proposed
>>> situation per
>>> SSL-secured server: configure the handling for each activity in
>>> every
>>> workflow. That is a few clicks versus a massive amount of clicking
>>> depending on how frequent you use Taverna. You either trust a
>>> certain
>>> service provider or you don't, but it sounds a bit weird to me to
>>> trust
>>> the same service provider on a case by case basis...
>>
>> Really this is back into the UI space - one could envisage a
>> version of
>> the moby plug-in that would pop up a dialog the first time you
>> added a
>> service with an https endpoint to ask whether you were sure you
>> wanted
>> to use it and allow you to check the certificates and from then on
>> would
>> assume that you were happy with them. In fact you could potentially
>> even
>> use this kind of code to include a hash of the certificate in the
>> activity configuration, thus recording the certificate used by the
>> service at workflow construction time and opening up the
>> possibility of
>> a workflow check plug-in that would retrieve the certificates for
>> each
>> service at workflow runtime and see if any had changed. Sure, some
>> extra
>> work in the plug-in, but the effect for a user running the workflow
>> would be that they'd effectively be trusting the decision made by the
>> workflow author and would be warned if the certs had changed to
>> render
>> this decision invalid.
>>
>> Actually the above seems like a pretty solid solution, see any issues
>> with it?
>
> No, apart from the extra work for the developers maybe :). This
> would be great for the users!
>
>> The 'click overhead' is once per service provider (technically
>> once per certificate) for the workflow author then none for a
>> workflow
>> consumer providing those certificates aren't altered. I don't think
>> you
>> lose any security and you can a lot of usability in the process (so
>> actually you gain security because making the same level of security
>> more easily attainable is effectively providing more security in real
>> terms).
>
> Indeed :)
>
>> While we're on this general subject I suggested ages ago that we
>> could
>> allow workflows to be signed themselves, this could potentially allow
>> for more 'open' workflow enactment services as it would provide a
>> solid
>> sign-off mechanism to indicate that a workflow didn't do anything
>> nasty
>> (beanshell scripts to read /etc/passwd and suchlike) and might make
>> the
>> notion of a general enactment service more palatable to
>> administrators.
>> Not an immediate requirement I know, but something to consider in
>> terms
>> of more constrained environments.
>>
>> Tom
>
-------------------------------------------------------------
Wageningen University and Research centre (WUR)
Laboratory of Bioinformatics
Transitorium (building 312) room 1034
Dreijenlaan 3
6703 HA Wageningen
The Netherlands
phone: +31 (0)317-483 060
mobile: +31 (0)6-143 66 783
e-mail: [email protected]
skype: pieter.online
-------------------------------------------------------------
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
taverna-hackers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/taverna-hackers
Developers Guide: http://www.mygrid.org.uk/usermanual1.7/dev_guide.html
FAQ: http://www.mygrid.org.uk/wiki/Mygrid/TavernaFaq
