[Nsi-wg] Presentations from today

Henrik Thostrup Jensen htj at nordu.net
Wed Jun 20 04:40:38 EDT 2012 

Hi

I'm going to throw a lot of fruit here...

On Tue, 19 Jun 2012, Inder Monga wrote:

> On Documents structure, new services and security.

Slide 2:

When was confidentiality thrown out the window as a requirement?
I do think privacy matters.


Slide 3:

Could you pleeeease stop with the proxy argument. It is completely bunk.

Yes, there are SSL/TLS proxies. And they are very useful. They offload the 
decryption to other CPUs or machines. They are often also quite easy to 
configure, which is great for admins. In almost all cases the proxy runs 
on the same machine as the application or a machine next to it.

There is no one forcing you to run a proxy. It is perfectly possible to 
run SSL/TLS within the application.

There is abselutely _nothing_ preventing proxies with WS-Security. It is 
just more clumsy since it is at message level and not transport level.

With your level of reasoning NSI should be implemented in the ASIC in 
routers. Only then will we have true end-to-end security.

Also, HTTPS is not a transport protocol, but lets get moving.


Slide 4:

Saying that WS-Security is the only option is simple not true.


Slide 6:

SAML? Seriously? :-). Why do we need federated authentication?

It is my impression that SAML is largely being superseeded by OAuth 2.0 
these days (which is quite different from OAuth 1 btw.).


Slide 9:

Username+password & X509 & SAML. All of them? Oh joy. Why don't we just 
say that we don't know or couldn't decide.


Slide 10:

WS-Security does not establish a secure transport. That is a very 
fundemental part of message level security. FWIW there is actually WS 
standard for establishing secure transports with SOAP called 
WS-SecureConversation, but I don't want to give you too many good ideas.


Slide 11:

What.. we've decided now?

I really really hope you mean "SAML assertions for AuthN" and not authZ. 
We still want to allow NSA to decide what they authorize, right?


     Best regards, Henrik

  Henrik Thostrup Jensen <htj at nordu.net>
  Software Developer, NORDUnet

More information about the nsi-wg mailing list