[ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)

Steve Tuecke tuecke at univa.com
Fri Jul 15 07:35:30 CDT 2005 

Can you briefly recount the arguments for making message security 
required?

I would tend to agree with Marty on this point, for two reasons.  
First, I think there are a variety of services (or operations) that can 
be done anonymously, such as some information services.  Second, the 
cost of security in terms of performance can be very high, so to 
mandate it even when its not needed seems a bit extreme.

-Steve

On Jul 15, 2005, at 4:13 AM, David Snelling wrote:

> Marty,
>
> Your interpretation of the profile is correct. On several occasions we 
> have discussed this very issue and each time the conclusion has been 
> consistent with the current draft. If you think the case for relaxing 
> the profile is stronger now than on earlier calls and F2F meetings, we 
> should schedule a time when you can make the call. Hiro tell me that 
> the BP is on the agenda for Monday's call. Can you make it?
>
> Note the the profile dose not outlaw myProxy to GSI and anything else. 
> It just says that for interoperability, these published standard 
> techniques MUST/SHOULD/MAY be supported by compliant systems. The 
> systems can and will use other techniques. In Unicore/GS we will 
> continue to use the proprietary UPL/ETDF framework while also 
> supporting the BP.
>
> Talk to you on Monday (if I can stay awake).
>
>
> On 15 Jul 2005, at 2:09, humphrey at cs.virginia.edu wrote:
>
>> I assume that this document has not entered public comment, so I'll 
>> post my
>> comments here regarding security. I'm afraid that these are largely 
>> the SAME
>> comments that I've made before.
>>
>> Here are my specific concerns...
>>
>> The security section (section 8.1) implies that *EVERY* SOAP message 
>> must be
>> either (1) over TLS or (2) "SOAP Message security with XML signature 
>> and/or
>> XML Encryption". If you truly mean this (implied by "R0811"), this is 
>> overly
>> restrictive and makes no sense (there does not exist *ANY* message 
>> that can
>> justifiably be sent between services/clients that need not incur the 
>> overhead
>> of crypto?). However, it's not clear if you really mean this
>> ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply 
>> otherwise)... so,
>> what exactly is the intention here?
>>
>> In general, section 8.1.2 is too restrictive -- "mutual-authenticated 
>> WS-
>> Communication will be required" is overly restrictive. And this 
>> section
>> includes this statement: "The Profile mandates that there be no 
>> anonymous
>> communication. To ensure interoperability, only X.509 
>> certificate-based
>> authentication is permitted by the Profile.") So, this latter part in
>> particular says that there is *NO PLACE* for password authentication 
>> in OGSA.
>> (I also believe that you have now outlawed MyProxy, right?)
>>
>> Am I reading something incorrectly?
>>
>> -- Marty
>>
>> Marty Humphrey
>> Assistant Professor
>> Department of Computer Science
>> University of Virginia
>>
>>
>>
>>
>> -------------------------------------------------
>> This mail sent through IMP: http://horde.org/imp/
>>
>>
> -- 
>
> Take care:
>
>     Dr. David Snelling < David . Snelling . UK . Fujitsu . com >
>     Fujitsu Laboratories of Europe
>     Hayes Park Central
>     Hayes End Road
>     Hayes, Middlesex  UB4 8FE
>
>     +44-208-606-4649 (Office)
>     +44-208-606-4539 (Fax)
>     +44-7768-807526  (Mobile)
>

More information about the ogsa-wg mailing list