[ogsa-hpcp-wg] File staging extension

A.S.McGough asm at doc.ic.ac.uk
Thu Nov 1 18:48:20 CDT 2007 

Two small points here,

First off, I think we can sell this as a non security problem. We're not 
proposing ftp as a mechanism for transmitting private data. Especially 
if we use uernames of "anonymous" and similar passwords. Many people 
still use ftp for making non-secure information available thus we can do 
the same here. We use ftp to transfer bioinformatics databases which are 
also available from a project web page so this can be seen as not a problem.

Second, I don't know if anyone saw the spam of the 
"we've-scooped-your-passwords" last year (if you didn't they got the 
first five passwords to be the first few lines of the parody on lord of 
the rings "one OS to rule them all...."). I know the people who did this 
and it took over 40,000 connections to get these to the top of the list. 
So hopefully unless we're submitting that many jobs we won't make it 
that high.

Other than that I agree with KISS for now.

steve..


Marty Humphrey wrote:
> Hi Steven,
>
> I'm sorry if I did not make myself clearer. I am NOT suggesting that we
> remove ftp, for the reasons you mention. Rather, I am stating that the set
> of 3 does not include something with a reasonable "security story". Sftp and
> ftps are both "reasonable" in their own ways and arguably should be included
> in the discussion. 
>
> On a related topic, how are we going to feel when all of our passwords
> appear on the "we've-scooped-your-passwords" screen at SC07? :^) 
>
> -- Marty  
>
> -----Original Message-----
> From: Steven Newhouse [mailto:Steven.Newhouse at microsoft.com] 
> Sent: Thursday, November 01, 2007 6:20 PM
> To: Marty Humphrey; 'Vesselin Novov'
> Cc: ogsa-hpcp-wg at ogf.org
> Subject: RE: [ogsa-hpcp-wg] File staging extension
>
> A little more broadly, I am concerned that someone could semi-legitimately
> accuse the HPC Profile effort of "mandating insecurity".
>
> We're mandating in HPCBP that over an open network plain text username and
> passwords are passed over SSL. We're demonstrating a proof of concept that
> using 'movement protocols' such as ftp, http, ... can be integrated into the
> HPCBP by passing in a credential from the client. This IMHO is the goal of
> the normative extensions.
>
> The set of credentials that we mandate that we support and the movement
> protocols that they access is effectively a profile ontop of this normative
> extensions. If your HPCBP endpoint is only going to go to files within your
> network (because by policy you do not allow external FTP traffic through
> your firewall) then use of FTP may not be a major concern. Other deployments
> going cross-enterprise in their file access may require that certain
> protocols are only used.
>
> Basically I think we have three phases:
> 1. Proof of concept for SC07 to drive further development of the extensions.
> 2. Developing normative extensions that are fairly flexible in terms of the
> things moved and the tokens used to authenticate access to the things being
> moved.
> 3. Concrete profiles defining the protocols and the credentials. This set
> may be very different in different domains, e-science (GridFTP &
> certificates), commerce (ftp & username/password) for example.
>
> 2 & 3 I think this is something we can really discuss post SC07. For now we
> need to KISS* and together be happy with an answer to 1!
>
> Steven
>
> KISS = Keep It Simple Stupid (This is a generic working group stupid - not a
> person specific stupid in this email thread!)
>
>
>
> --
>   ogsa-hpcp-wg mailing list
>   ogsa-hpcp-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/ogsa-hpcp-wg
>   


-- 
------------------------------------------------------------------------
Dr A. Stephen McGough                       http://www.doc.ic.ac.uk/~asm
------------------------------------------------------------------------
Technical Coordinator, London e-Science Centre, Imperial College London,
Department of Computing, 180 Queen's Gate, London SW7 2BZ, UK
tel: +44 (0)207-594-8409                        fax: +44 (0)207-581-8024
------------------------------------------------------------------------

More information about the ogsa-hpcp-wg mailing list