[ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)

Takuya Mori moritaku at bx.jp.nec.com
Fri Jul 15 06:21:42 CDT 2005 

Hi Marty,

Thank you for your comment.  I am answering on your second 
point in this message.

I think our intention on the requirement level to the mutual
authentication is same with you.  Although the informational 
description of the constraints is described by using the
words "will be required", the constraints which are normative
statements state that the requirements are "SHOULD" which is 
one level looser than "MUST".  

I think we can change the word "required" to "recommended" 
in the informational sentence, if it is confusing.

Thank you,
Takuya Mori

From: humphrey at cs.virginia.edu
Subject: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)
Date: Thu, 14 Jul 2005 21:09:28 -0400

> I assume that this document has not entered public comment, so I'll post my 
> comments here regarding security. I'm afraid that these are largely the SAME 
> comments that I've made before.
> 
> Here are my specific concerns...
> 
> The security section (section 8.1) implies that *EVERY* SOAP message must be 
> either (1) over TLS or (2) "SOAP Message security with XML signature and/or 
> XML Encryption". If you truly mean this (implied by "R0811"), this is overly 
> restrictive and makes no sense (there does not exist *ANY* message that can 
> justifiably be sent between services/clients that need not incur the overhead 
> of crypto?). However, it's not clear if you really mean this 
> ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so, 
> what exactly is the intention here? 
> 
> In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS-
> Communication will be required" is overly restrictive. And this section 
> includes this statement: "The Profile mandates that there be no anonymous 
> communication. To ensure interoperability, only X.509 certificate-based 
> authentication is permitted by the Profile.") So, this latter part in 
> particular says that there is *NO PLACE* for password authentication in OGSA. 
> (I also believe that you have now outlawed MyProxy, right?)
> 
> Am I reading something incorrectly?
> 
> -- Marty
> 
> Marty Humphrey
> Assistant Professor
> Department of Computer Science
> University of Virginia
> 
> 
> 
> 
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
>

More information about the ogsa-wg mailing list