[ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)
humphrey at cs.virginia.edu
humphrey at cs.virginia.edu
Thu Jul 14 20:09:28 CDT 2005
I assume that this document has not entered public comment, so I'll post my
comments here regarding security. I'm afraid that these are largely the SAME
comments that I've made before.
Here are my specific concerns...
The security section (section 8.1) implies that *EVERY* SOAP message must be
either (1) over TLS or (2) "SOAP Message security with XML signature and/or
XML Encryption". If you truly mean this (implied by "R0811"), this is overly
restrictive and makes no sense (there does not exist *ANY* message that can
justifiably be sent between services/clients that need not incur the overhead
of crypto?). However, it's not clear if you really mean this
("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so,
what exactly is the intention here?
In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS-
Communication will be required" is overly restrictive. And this section
includes this statement: "The Profile mandates that there be no anonymous
communication. To ensure interoperability, only X.509 certificate-based
authentication is permitted by the Profile.") So, this latter part in
particular says that there is *NO PLACE* for password authentication in OGSA.
(I also believe that you have now outlawed MyProxy, right?)
Am I reading something incorrectly?
-- Marty
Marty Humphrey
Assistant Professor
Department of Computer Science
University of Virginia
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
More information about the ogsa-wg
mailing list