[ogsa-hpcp-wg] File staging extension

Marty Humphrey humphrey at cs.virginia.edu
Thu Nov 1 17:37:41 CDT 2007 

Hi Steven,

I'm sorry if I did not make myself clearer. I am NOT suggesting that we
remove ftp, for the reasons you mention. Rather, I am stating that the set
of 3 does not include something with a reasonable "security story". Sftp and
ftps are both "reasonable" in their own ways and arguably should be included
in the discussion. 

On a related topic, how are we going to feel when all of our passwords
appear on the "we've-scooped-your-passwords" screen at SC07? :^) 

-- Marty  

-----Original Message-----
From: Steven Newhouse [mailto:Steven.Newhouse at microsoft.com] 
Sent: Thursday, November 01, 2007 6:20 PM
To: Marty Humphrey; 'Vesselin Novov'
Cc: ogsa-hpcp-wg at ogf.org
Subject: RE: [ogsa-hpcp-wg] File staging extension

A little more broadly, I am concerned that someone could semi-legitimately
accuse the HPC Profile effort of "mandating insecurity".

We're mandating in HPCBP that over an open network plain text username and
passwords are passed over SSL. We're demonstrating a proof of concept that
using 'movement protocols' such as ftp, http, ... can be integrated into the
HPCBP by passing in a credential from the client. This IMHO is the goal of
the normative extensions.

The set of credentials that we mandate that we support and the movement
protocols that they access is effectively a profile ontop of this normative
extensions. If your HPCBP endpoint is only going to go to files within your
network (because by policy you do not allow external FTP traffic through
your firewall) then use of FTP may not be a major concern. Other deployments
going cross-enterprise in their file access may require that certain
protocols are only used.

Basically I think we have three phases:
1. Proof of concept for SC07 to drive further development of the extensions.
2. Developing normative extensions that are fairly flexible in terms of the
things moved and the tokens used to authenticate access to the things being
moved.
3. Concrete profiles defining the protocols and the credentials. This set
may be very different in different domains, e-science (GridFTP &
certificates), commerce (ftp & username/password) for example.

2 & 3 I think this is something we can really discuss post SC07. For now we
need to KISS* and together be happy with an answer to 1!

Steven

KISS = Keep It Simple Stupid (This is a generic working group stupid - not a
person specific stupid in this email thread!)

More information about the ogsa-hpcp-wg mailing list