[ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)
Takuya Mori
moritaku at bx.jp.nec.com
Wed Jul 20 06:35:54 CDT 2005
Marty,
This message is regarding with your second comment.
We discussed your comment and agreed to change the MUST requirement
in the non-normative description to SHOULD in section 8.1.2. Please
confirm the change in the latest draft document.
By the way, during the call, we have found another problem in the
mutual auth description. The problem is that the description
that allows ONLY an X.509 certificate to be a security token, which
we had been overlooked, might be too restrictive. We continue
discussing on this point.
We will tell you the result of the discussion.
Thank you,
Takuya
From: humphrey at cs.virginia.edu
Subject: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)
Date: Thu, 14 Jul 2005 21:09:28 -0400
> I assume that this document has not entered public comment, so I'll post my
> comments here regarding security. I'm afraid that these are largely the SAME
> comments that I've made before.
>
> Here are my specific concerns...
>
> The security section (section 8.1) implies that *EVERY* SOAP message must be
> either (1) over TLS or (2) "SOAP Message security with XML signature and/or
> XML Encryption". If you truly mean this (implied by "R0811"), this is overly
> restrictive and makes no sense (there does not exist *ANY* message that can
> justifiably be sent between services/clients that need not incur the overhead
> of crypto?). However, it's not clear if you really mean this
> ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so,
> what exactly is the intention here?
>
> In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS-
> Communication will be required" is overly restrictive. And this section
> includes this statement: "The Profile mandates that there be no anonymous
> communication. To ensure interoperability, only X.509 certificate-based
> authentication is permitted by the Profile.") So, this latter part in
> particular says that there is *NO PLACE* for password authentication in OGSA.
> (I also believe that you have now outlawed MyProxy, right?)
>
> Am I reading something incorrectly?
>
> -- Marty
>
> Marty Humphrey
> Assistant Professor
> Department of Computer Science
> University of Virginia
>
>
>
>
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
>
More information about the ogsa-wg
mailing list