Globus/GSI versus Kerberos

[Tim Warnock]

I was curious if anyone has any comments (personal/political/technical) 
or could point me to a decent resource comparing Globus versus 
Kerberos.  I've had to work with Globus quite a bit, and the overall 
trend in the existing GSI-based research grids is to move towards 
centrally managed cert/key repositories despite the pure GSI notion of 
keeping everything distributed.  There's a handful of new research 
projects that basically take GSI and add that "centralized" portion, 
although in my opinion it's starting to resemble a Kerberos 
architecture.  In my case, in effort to get Globus actually working for 
our users, we had to create a similar "centralized" architecture (see 
gridauth.com), this ended up purposely abstracting Globus. It's 
abstracted in such a way we could easily drop Globus (GSI-based CA) and 
replace it with Kerberos or even a simple password hash scheme.  For our 
users needs this would be perfectly suitable (and transparent), except 
politically it would raise hell.

I know a lot of work has gone into building the bridge between Kerberos 
and GSI, but in this case it's more a matter of utilizing a secure 
authentication mechanism that's easiest to manage centrally (to the 
users and developers it's all abstracted behind RESTful web services). 
Any thoughts or advice would be appreciated, technical papers or 
security reports comparing the two systems would be great as well.

-- 
Cheers,

Timothy J Warnock
Senior Data Architect - NEESit
San Diego Supercomputer Center
phone: (858) 822-5473
fax:   (858) 822-5464

University of California, San Diego
9500 Gilman Drive
La Jolla, CA 92093-0505