Re: [platform-update-dev] Role Based Updates

[Scott Fairbrother <scottf@xxxxxxxxxx>]

 How about an adapter approach,
like Team.  

I haven't heard any good discussion
about the interface to directory services and the strong affinity to security
services.    I don't have a good feeling that we are looking
at the bigger picture yet.  We are talking about security and role
based software configuration without discussing directories. directory
services Typically, groups are managed in the directory.  The security
systems in turn manages the trust relationships and puts ACL's on groups
and or persons. There are many different directory services. Starting with
directory services from Novell eDirectory, Lotus ,Tivoli, CA, Microsoft
and many more. Google this "directory security service".  
The credentials and format and authentication is done in a variety of ways.
  For example,  A thumb print is the credential on a ThnkPad
is now.  Whatever we do in this area  I think the Ellipse platform
goal should be directory and security agnostic.  I want to say we
need a platform for directory and security services, like we did for Team
providers.      
.  
.A lot of vendors claim to do LDAP,
 but most often, it's hard to get anything other than the name, phone,
address.  You end up with the lowest common denominator.  Making
matters worse, directory services take different credentials Kerberos (or
a flavor there of),  Public Key Infrastructure, T X-509, Windows XP
security access token + SID, etc..
 
And like and like a Team source repository,
 it's hard to switch to a new directory and security system.

Should we be talking with real stakeholders,
those ISV's in the Directory and Security business? 




Thanks,
Scott Fairbrother
Eclipse/WebSphere Studio Jumpstart Team

The Java Developer's Guide to Eclipse - http://www.aw.com/catalog/academic/product/1,4096,0321159640,00.html?type=PRE
Ready for Rational Software partner program - http://www.developer.ibm.com/rational/readyfor.html

Bob Foster <bob@xxxxxxxxxx>
Sent by: platform-update-dev-admin@xxxxxxxxxxx

02/22/2005 11:17 PM

Please respond to
platform-update-dev

To	platform-update-dev@xxxxxxxxxxx
cc
Subject	Re: [platform-update-dev] Role Based Updates

Christophe Elek wrote:
> Bob,
> No problem

Thanks!

> HTTPS relies on SSL which does the following handshake
> 
> 1) client connects to HTTPS
> 2) Server sends server cert
> 3) client verifies cert against its truststore

It made sense right up to here.

> optional
> 4) server asks for client cert
> 5) client sends cert
> 6) server verifies cert

Does somebody really want their cert sitting around on each client's 
machine?

> In the current implementation, all works fine if the server certificate
is
> signed by a trusted CA which appears in cacerts under the JDK (Verisign,
> Thawte and maybe Equifax depending on your cacert)

Ok.

> If you created your own certificate, the connection will fail miserably
> until you manually add the server certificate in your client

This part I don't understand. But maybe your next paragraph means I 
don't need to. ;-}

> When you connect to a HTTPS server from a browser you can get a screen
that
> tells you (in a nutshell)
> The certificate you are receiving is signed by <company>
> You do not trust <company> do you want to trust it for this
session, for
> ever or decide to cancel
> We can do the same <well, technically it is feasible>

Yes, it makes sense to do the same thing.

Bob


_______________________________________________
platform-update-dev mailing list
platform-update-dev@xxxxxxxxxxx
http://dev.eclipse.org/mailman/listinfo/platform-update-dev