[acs-wg] Re: Feedback from review of requirements spreadsheet
Keisuke Fukui
kfukui at labs.fujitsu.com
Mon Jan 31 21:24:36 CST 2005
Pete,
Ziu, Peter wrote:
> Agreed with all your responses. 2.4e is clarified.
Fine. I will update the doc.
> I think I am mistaken
> concerning the PKI DN data. The PKI DN is the distinguished name (x509
> standard) of an identity (string). I was suggesting that we might need to
> make bindings of software/drivers to certain machine identities, not just
> classes of machine types. To do this, we will need some way to work with
> the security folks to use x509 identities to target software to them (or
> a unique id that is bound to the DN). I was just suggesting that perhaps
> some type of identity data will need to be stored/bound. Although, the
> right place for that is still probably in the job description/constraints,
> and has already been handled?
Agreed. We need more work on security requirements. Maybe we should
ask consultation from security area folk or at least a review of the doc.
Does anyone have idea who we can ask?
I'm aware of the vast compilation about the security requirements. However,
we need a concise set of high level requirements. I hope the rest can be
additionally considered after the framework of the spec. is clarified,
with a minimal modification to what is described.
Note:
I think this might contain the most comprehensive description about
the security.
http://niap.nist.gov/cc-scheme/cc_docs/index.html
I found the below contains more concise overview about the aspect
though it is dated 2001.
http://www.bitsinfo.org/MSCv30sept03.pdf
-Keisuke
>
> Pete.
>
> -----Original Message-----
> From: owner-acs-wg at ggf.org [mailto:owner-acs-wg at ggf.org]On Behalf Of
> Keisuke Fukui
> Sent: Monday, January 31, 2005 3:03 AM
> To: pete at ziu.net
> Cc: acs-wg at ggf.org
> Subject: [acs-wg] Re: Feedback from review of requirements spreadsheet
>
>
> Hi Pete,
>
> Thanks. You gave me good points in your comments.
>
> pete at ziu.net wrote:
>
>>Keisuke,
>>
>>This is a good start. I could only find some minor appearances of
>>conflicts between items. I also threw in some potential items to think
>>about:
>>
>> - These two items appear to be at odds, or contradictory. Items 1.1-a
>>and 2.4-a. The first states everything must be in one archive (file),
>>and the latter states external references are legal. Perhaps we could
>>reword somehow to say the "notion of one logical archive (with version
>>stamp and signature) must be maintained"?
>
>
> I got your point. Yes, it literally contradicts. I should have said:
>
> [1.1-a] AAF/ARI: Application contents must be bundled in a single and
> consistent archive, either in a actual contents or in an external reference.
>
> This would be more specific rather than introducing the term "logical",
> since it is used everywhere in the world and we haven't had its meaning
> narrowed down here.
>
>
>>- 2.4-e states that any protocol must be allowed, but 4.a states that
>>SOAP/WS must be used. Is there an issue here if one wishes to
>>implement a multi-protocol ACS solution (say SOAP/WS and RMI and CORBA
>> [for legacy support, since this archive system could serve other
>>paradigms as well])?
>
>
> I believe the short description in the requirements text lacks restrictive
> word to talk about the protocol. I should have said:
>
> [2.4-e] ARI: ACS should allow ARI implementers to select a communication
> protocol for transport of the bulk data transfer.
>
> Doesn't it clarify the point yet?
>
>
>>
>>I was wondering if there was more to add to the list:
>>
>> - Perhaps there should be different classes of archives that can be
>>linked together, internally or externally from the package, such as
>>"foundational/infrastructure bundles" (PK DN descriptions, OS, drivers,
>>etc.), Application bundles, and data bundles?
>
>
> Yes, I would like to cover diversity of the application contents; it includes
> OS, drivers and middleware. What is "PK DN descriptors" here you mentioned?
>
>
>> - Seems like there must be the ability to replicate/synchronize, in
>>part of whole, the archive server/storage, since some of the binaries
>>are bound to large or very large (packaged OS stuff and data), and may
>>be inefficient to transmit across long hauls. Many times, an enterprise
>>system may wish to distributed non-transactional/non-realtime or
>>infrequently updated data to many locations for WAN load distribution,
>>different physical site redundancy, and reducing routes/long hauls. ACS
>>data is a good fit for this type of behavior.
>
>
> Yes, I believe the above describes what I meant for.
>
>
>> - Is there any idea of, or existing software unit and unique identity,
>> to deploy across an enterprise on all devices to remotely enable the
>>usage of the device to become part of a grid? This could access ACS to
>>obtain needed software. Also, is there a bootp-like service to deploy
>>this software unit/kernel? (may be out of scope of ACS, but should allow
>>for the possiblity to accept client connections from this type of
>>software unit in our use-cases).
>
>
> I would call for expertise from the broader range of the people for this
> discussion. Maybe we can attract them at the GGF13 sessions.
>
> P.S.
> Should we have some tele-conferences in February? We need decide the
> session plan by Feb. 18 according to the GGF office notice.
>
>
> -Keisuke
>
More information about the acs-wg
mailing list