[ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)

Marty Humphrey humphrey at cs.virginia.edu
Mon Jul 18 08:11:06 CDT 2005 

Hi Dave,

I'm very sorry, but I cannot make the call today. I'm traveling. 

-- Marty

> -----Original Message-----
> From: David Snelling [mailto:David.Snelling at uk.fujitsu.com]
> Sent: Friday, July 15, 2005 5:14 AM
> To: humphrey at cs.virginia.edu
> Cc: ogsa-wg at ggf.org
> Subject: Re: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically
> security)
> 
> Marty,
> 
> Your interpretation of the profile is correct. On several occasions we
> have discussed this very issue and each time the conclusion has been
> consistent with the current draft. If you think the case for relaxing
> the profile is stronger now than on earlier calls and F2F meetings, we
> should schedule a time when you can make the call. Hiro tell me that
> the BP is on the agenda for Monday's call. Can you make it?
> 
> Note the the profile dose not outlaw myProxy to GSI and anything else.
> It just says that for interoperability, these published standard
> techniques MUST/SHOULD/MAY be supported by compliant systems. The
> systems can and will use other techniques. In Unicore/GS we will
> continue to use the proprietary UPL/ETDF framework while also
> supporting the BP.
> 
> Talk to you on Monday (if I can stay awake).
> 
> 
> On 15 Jul 2005, at 2:09, humphrey at cs.virginia.edu wrote:
> 
> > I assume that this document has not entered public comment, so I'll
> > post my
> > comments here regarding security. I'm afraid that these are largely
> > the SAME
> > comments that I've made before.
> >
> > Here are my specific concerns...
> >
> > The security section (section 8.1) implies that *EVERY* SOAP message
> > must be
> > either (1) over TLS or (2) "SOAP Message security with XML signature
> > and/or
> > XML Encryption". If you truly mean this (implied by "R0811"), this is
> > overly
> > restrictive and makes no sense (there does not exist *ANY* message
> > that can
> > justifiably be sent between services/clients that need not incur the
> > overhead
> > of crypto?). However, it's not clear if you really mean this
> > ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply
> > otherwise)... so,
> > what exactly is the intention here?
> >
> > In general, section 8.1.2 is too restrictive -- "mutual-authenticated
> > WS-
> > Communication will be required" is overly restrictive. And this section
> > includes this statement: "The Profile mandates that there be no
> > anonymous
> > communication. To ensure interoperability, only X.509 certificate-based
> > authentication is permitted by the Profile.") So, this latter part in
> > particular says that there is *NO PLACE* for password authentication
> > in OGSA.
> > (I also believe that you have now outlawed MyProxy, right?)
> >
> > Am I reading something incorrectly?
> >
> > -- Marty
> >
> > Marty Humphrey
> > Assistant Professor
> > Department of Computer Science
> > University of Virginia
> >
> >
> >
> >
> > -------------------------------------------------
> > This mail sent through IMP: http://horde.org/imp/
> >
> >
> --
> 
> Take care:
> 
>      Dr. David Snelling < David . Snelling . UK . Fujitsu . com >
>      Fujitsu Laboratories of Europe
>      Hayes Park Central
>      Hayes End Road
>      Hayes, Middlesex  UB4 8FE
> 
>      +44-208-606-4649 (Office)
>      +44-208-606-4539 (Fax)
>      +44-7768-807526  (Mobile)

More information about the ogsa-wg mailing list