[ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)
Donal K. Fellows
donal.k.fellows at manchester.ac.uk
Fri Jul 15 03:15:23 CDT 2005
humphrey at cs.virginia.edu wrote:
> The security section (section 8.1) implies that *EVERY* SOAP message must be
> either (1) over TLS or (2) "SOAP Message security with XML signature and/or
> XML Encryption". If you truly mean this (implied by "R0811"), this is overly
> restrictive and makes no sense (there does not exist *ANY* message that can
> justifiably be sent between services/clients that need not incur the overhead
> of crypto?). However, it's not clear if you really mean this
> ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so,
> what exactly is the intention here?
Certainly when it comes to information systems and how they are used by
things like the RSS, there is a significant fraction of useful
interaction that can be done completely unencrypted within a particular
security domain (I had it argued to me that uses within a domain don't
need to be standardized at all, which is theoretically true but life
doesn't really seem to work like that; unifying the sorts of interfaces
supported both internally and externally is a big win). For example,
consider the looking up of non-user-specific information about the
general configuration of resources.
On the other hand, requiring that services support such access (at least
potentially, even if a particular instances doesn't) is OK with me, as
is a strong recommendation that anything carrying user-specific info
(the majority of interactions, I presume) should be protected over the
wire.
Donal.
More information about the ogsa-wg
mailing list