[ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)

Mark McKeown zzalsmm3 at nessie.mcc.ac.uk
Fri Jul 15 08:20:31 CDT 2005 

Hi Marty,
         Your post raised another issue for me.

         When I looked at the Security section in the OGSA WSRF BP
I half expected to see recommendations on signing WS-Addressing headers.
WSRF has a dependence on WS-Addressing and it is hard to create
secure signed SOAP messages without signing the information that is
supplied by WS-Addressing (wsa:To, wsa:From, wsa:MessageID, wsa:ReplyTo
etc) but there is no current profile that deals with the signing of
WS-Addressing headers (perhaps I missed one?).

I would expect OASIS or WS-I to produce a security profile that
includes WS-Addressing but it looks like a hole in the OGSA WSRF
BP security section to me.

cheers
Mark

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mark Mc Keown                            RSS
Mark.McKeown at man.ac.uk 	                 Manchester Computing
+44 161 275 0601     		         University of Manchester
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Thu, 14 Jul 2005 humphrey at cs.virginia.edu wrote:

> I assume that this document has not entered public comment, so I'll post my
> comments here regarding security. I'm afraid that these are largely the SAME
> comments that I've made before.
>
> Here are my specific concerns...
>
> The security section (section 8.1) implies that *EVERY* SOAP message must be
> either (1) over TLS or (2) "SOAP Message security with XML signature and/or
> XML Encryption". If you truly mean this (implied by "R0811"), this is overly
> restrictive and makes no sense (there does not exist *ANY* message that can
> justifiably be sent between services/clients that need not incur the overhead
> of crypto?). However, it's not clear if you really mean this
> ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so,
> what exactly is the intention here?
>
> In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS-
> Communication will be required" is overly restrictive. And this section
> includes this statement: "The Profile mandates that there be no anonymous
> communication. To ensure interoperability, only X.509 certificate-based
> authentication is permitted by the Profile.") So, this latter part in
> particular says that there is *NO PLACE* for password authentication in OGSA.
> (I also believe that you have now outlawed MyProxy, right?)
>
> Am I reading something incorrectly?
>
> -- Marty
>
> Marty Humphrey
> Assistant Professor
> Department of Computer Science
> University of Virginia
>
>
>
>
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
>
>

More information about the ogsa-wg mailing list