Fwd: Re: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)

Hiro Kishimoto hiro.kishimoto at jp.fujitsu.com
Fri Jul 15 18:31:33 CDT 2005 

Tom's email bounced.
----
Hiro Kishimoto

> To: humphrey at cs.virginia.edu, ogsa-wg at ggf.org
> Subject: Fwd: Re: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)
> From: <tom.maguire at suscom.net>
> Date: Fri, 15 Jul 2005 9:18:00 -0400


during the 7/13 telecon we agreed to relax the MUST requirements for 
mutual auth to SHOULD.  The descriptive paragraph above the reqt should 
be changed so that it is clear that the reqts are recommendations.  The 
descriptions are non-normative anyway  :-)

-----Original Message-----

From:  Steve Tuecke <tuecke at univa.com>
Subj:  Re: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically 
security)
Date:  Fri Jul 15, 2005 8:36 am
Size:  3K
To:  David Snelling <David.Snelling at UK.Fujitsu.com>
cc:  humphrey at cs.virginia.edu, Steve Tuecke <tuecke at univa.com>, 
ogsa-wg at ggf.org

Can you briefly recount the arguments for making message security
required?

I would tend to agree with Marty on this point, for two reasons.
First, I think there are a variety of services (or operations) that can
be done anonymously, such as some information services.  Second, the
cost of security in terms of performance can be very high, so to
mandate it even when its not needed seems a bit extreme.

-Steve

On Jul 15, 2005, at 4:13 AM, David Snelling wrote:


 >> Marty,
 >>
 >> Your interpretation of the profile is correct. On several occasions we
 >> have discussed this very issue and each time the conclusion has been
 >> consistent with the current draft. If you think the case for relaxing
 >> the profile is stronger now than on earlier calls and F2F meetings, we
 >> should schedule a time when you can make the call. Hiro tell me that
 >> the BP is on the agenda for Monday's call. Can you make it?
 >>
 >> Note the the profile dose not outlaw myProxy to GSI and anything else.
 >> It just says that for interoperability, these published standard
 >> techniques MUST/SHOULD/MAY be supported by compliant systems. The
 >> systems can and will use other techniques. In Unicore/GS we will
 >> continue to use the proprietary UPL/ETDF framework while also
 >> supporting the BP.
 >>
 >> Talk to you on Monday (if I can stay awake).
 >>
 >>
 >> On 15 Jul 2005, at 2:09, humphrey at cs.virginia.edu wrote:
 >>
 >
 >>>> I assume that this document has not entered public comment, so I'll
 >>>> post my
 >>>> comments here regarding security. I'm afraid that these are largely
 >>>> the SAME
 >>>> comments that I've made before.
 >>>>
 >>>> Here are my specific concerns...
 >>>>
 >>>> The security section (section 8.1) implies that *EVERY* SOAP message
 >>>> must be
 >>>> either (1) over TLS or (2) "SOAP Message security with XML signature
 >>>> and/or
 >>>> XML Encryption". If you truly mean this (implied by "R0811"), this is
 >>>> overly
 >>>> restrictive and makes no sense (there does not exist *ANY* message
 >>>> that can
 >>>> justifiably be sent between services/clients that need not incur the
 >>>> overhead
 >>>> of crypto?). However, it's not clear if you really mean this
 >>>> ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply
 >>>> otherwise)... so,
 >>>> what exactly is the intention here?
 >>>>
 >>>> In general, section 8.1.2 is too restrictive -- "mutual-authenticated
 >>>> WS-
 >>>> Communication will be required" is overly restrictive. And this
 >>>> section
 >>>> includes this statement: "The Profile mandates that there be no
 >>>> anonymous
 >>>> communication. To ensure interoperability, only X.509
 >>>> certificate-based
 >>>> authentication is permitted by the Profile.") So, this latter part in
 >>>> particular says that there is *NO PLACE* for password authentication
 >>>> in OGSA.
 >>>> (I also believe that you have now outlawed MyProxy, right?)
 >>>>
 >>>> Am I reading something incorrectly?
 >>>>
 >>>> -- Marty
 >>>>
 >>>> Marty Humphrey
 >>>> Assistant Professor
 >>>> Department of Computer Science
 >>>> University of Virginia
 >>>>
 >>>>
 >>>>
 >>>>
 >>>> -------------------------------------------------
 >>>> This mail sent through IMP: http://horde.org/imp/
 >>>>


--- message truncated ---

More information about the ogsa-wg mailing list