[ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)

[Dave Berry]

Dave,

I recall that when Marty raised this issue before GGF14, he was asked to
leave discussion of it until after GGF14 (possibly with the intention of
ensuring some public comment following submission of the document?).  I
would certainly be interested in joining dicussion of Marty's points on
a call.

Dave.

> -----Original Message-----
> From: owner-ogsa-wg at ggf.org [mailto:owner-ogsa-wg at ggf.org] On 
> Behalf Of David Snelling
> Sent: 15 July 2005 10:14
> To: humphrey at cs.virginia.edu
> Cc: ogsa-wg at ggf.org
> Subject: Re: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 
> (specifically security)
> 
> Marty,
> 
> Your interpretation of the profile is correct. On several 
> occasions we 
> have discussed this very issue and each time the conclusion has been 
> consistent with the current draft. If you think the case for relaxing 
> the profile is stronger now than on earlier calls and F2F 
> meetings, we 
> should schedule a time when you can make the call. Hiro tell me that 
> the BP is on the agenda for Monday's call. Can you make it?
> 
> Note the the profile dose not outlaw myProxy to GSI and 
> anything else. 
> It just says that for interoperability, these published standard 
> techniques MUST/SHOULD/MAY be supported by compliant systems. The 
> systems can and will use other techniques. In Unicore/GS we will 
> continue to use the proprietary UPL/ETDF framework while also 
> supporting the BP.
> 
> Talk to you on Monday (if I can stay awake).
> 
> 
> On 15 Jul 2005, at 2:09, humphrey at cs.virginia.edu wrote:
> 
> > I assume that this document has not entered public comment, so I'll 
> > post my
> > comments here regarding security. I'm afraid that these are largely 
> > the SAME
> > comments that I've made before.
> >
> > Here are my specific concerns...
> >
> > The security section (section 8.1) implies that *EVERY* 
> SOAP message 
> > must be
> > either (1) over TLS or (2) "SOAP Message security with XML 
> signature 
> > and/or
> > XML Encryption". If you truly mean this (implied by 
> "R0811"), this is 
> > overly
> > restrictive and makes no sense (there does not exist *ANY* message 
> > that can
> > justifiably be sent between services/clients that need not 
> incur the 
> > overhead
> > of crypto?). However, it's not clear if you really mean this
> > ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply 
> > otherwise)... so,
> > what exactly is the intention here?
> >
> > In general, section 8.1.2 is too restrictive -- 
> "mutual-authenticated 
> > WS-
> > Communication will be required" is overly restrictive. And 
> this section
> > includes this statement: "The Profile mandates that there be no 
> > anonymous
> > communication. To ensure interoperability, only X.509 
> certificate-based
> > authentication is permitted by the Profile.") So, this 
> latter part in
> > particular says that there is *NO PLACE* for password 
> authentication 
> > in OGSA.
> > (I also believe that you have now outlawed MyProxy, right?)
> >
> > Am I reading something incorrectly?
> >
> > -- Marty
> >
> > Marty Humphrey
> > Assistant Professor
> > Department of Computer Science
> > University of Virginia
> >
> >
> >
> >
> > -------------------------------------------------
> > This mail sent through IMP: http://horde.org/imp/
> >
> >
> -- 
> 
> Take care:
> 
>      Dr. David Snelling < David . Snelling . UK . Fujitsu . com >
>      Fujitsu Laboratories of Europe
>      Hayes Park Central
>      Hayes End Road
>      Hayes, Middlesex  UB4 8FE
> 
>      +44-208-606-4649 (Office)
>      +44-208-606-4539 (Fax)
>      +44-7768-807526  (Mobile)
> 
>