[ogsa-hpcp-wg] draft "security considerations" for HPC Basic Profile

Marty Humphrey humphrey at cs.virginia.edu
Wed Dec 13 17:30:12 CST 2006 

Folks,

 

Thanks again for all of your hard work for the Supercomputing demo last
month. I believe that we now have a new HPC Basic Profile that reflects our
collective experiences, at least in regard to security.

 

More precisely, I have uploaded a new draft of the "HPC Basic Profile" to
forge.ogf.org. The *only* modification is the inclusion of a "Security
Considerations" section based on our collective experiences of the SC2006
interopfest. I encourage you to read it at:
http://forge.ggf.org/sf/docman/do/downloadDocument/projects.ogsa-hpcp-wg/doc
man.root.drafts.hpc_basic_profile/doc13736/5 

 

Note: I remind everyone that the "HPC Basic Profile" corresponds to the
"Base Case" of the use-case/requirements document
(http://www.ggf.org/Public_Comment_Docs/Documents/Aug-2006/draft-ggf-ogsa-hp
cp-use-cases-02.pdf); correspondingly, the "security considerations" of this
"HPC Basic Profile" doc essentially only covers this "Base Case" as well.
The "Common Cases" are NOT specifically addressed. 

 

For those of you who cannot immediately read this, the essence of the HPC
Basic Profile "Security Considerations" in this draft is as follows:

 

R0501: An INSTANCE MUST support TLS 1.0, SHOULD support SSL 3.0, and SHOULD
support TLS 1.1.

R0502: An INSTANCE MUST support the FIPS-140 compliant ciphersuites.

R0503: An INSTANCE MUST support TLS_RSA_WITH_AES_128_CBC_SHA.

R0504: An INSTANCE MUST support service authentication using X.509
certificates using RSA cryptographic keys and the SHA-1 digest algorithm.

R0505: An INSTANCE MUST support either client authentication using
username/password credentials or X.509 certificates using RSA cryptographic
keys and the SHA-1 digest algorithm.

R0506: An INSTANCE must use TLS/SSL encryption key agreement based on the
RSA algorithm. Diffie-Helman key agreement shall not be used.

R0507: Client authentication based on username/password must use a password
digest and conform to the Web Services SecurityUsername Token Profile 1.1.

 

We encourage comments/questions on these 7 requirements/mandates, both on
this email list and on the call this Friday (11am Eastern).

 

However, *BEFORE* raising a question or concern on this list above, *PLEASE*
read the document first, as the document has a fairly detailed (for a
technical recommendation) explanation/justification. Your questions might
possibly be answered in this doc.

 

I also note that this is a *DRAFT*, so there's plenty of time/room for
discussion on this!

 

See you on the call on Friday. This security section will be the main topic.

 

-- Marty 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/ogsa-hpcp-wg/attachments/20061213/6ed61d0a/attachment.html

More information about the ogsa-hpcp-wg mailing list