[ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)
Hiro Kishimoto
hiro.kishimoto at jp.fujitsu.com
Wed Jul 20 08:30:20 CDT 2005
Hi Marty and Takuya,
Your first comment was also deliberated and accepted.
The minutes says;
> The profile as it stand does not allow non-encrypted messages or
> channels.
>
> There are cases when one would not want either, e.g., large data
> transfers that may cause performance degradation. Also depending on
> the environment it might be acceptable to not encrypt (e.g.,
> operating within enterprise (behind firewall)).
>
> (If corruption is the issue then signatures and not encryption is
> appropriate.)
>
> Consensus on softening the requirement:
> - Change l.466 'requires' to 'recommends'
> - And also change transport level compliance statements R0811-14
> from MUST to SHOULD.
http://tinyurl.com/5fxfd/minutes-20050718/en/1
We hope it covers your concern.
Thank you again for your comments
----
Hiro Kishimoto
Takuya Mori wrote:
> Marty,
>
> This message is regarding with your second comment.
>
> We discussed your comment and agreed to change the MUST requirement
> in the non-normative description to SHOULD in section 8.1.2. Please
> confirm the change in the latest draft document.
>
> By the way, during the call, we have found another problem in the
> mutual auth description. The problem is that the description
> that allows ONLY an X.509 certificate to be a security token, which
> we had been overlooked, might be too restrictive. We continue
> discussing on this point.
>
> We will tell you the result of the discussion.
>
> Thank you,
> Takuya
>
> From: humphrey at cs.virginia.edu
> Subject: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)
> Date: Thu, 14 Jul 2005 21:09:28 -0400
>
>
>>I assume that this document has not entered public comment, so I'll post my
>>comments here regarding security. I'm afraid that these are largely the SAME
>>comments that I've made before.
>>
>>Here are my specific concerns...
>>
>>The security section (section 8.1) implies that *EVERY* SOAP message must be
>>either (1) over TLS or (2) "SOAP Message security with XML signature and/or
>>XML Encryption". If you truly mean this (implied by "R0811"), this is overly
>>restrictive and makes no sense (there does not exist *ANY* message that can
>>justifiably be sent between services/clients that need not incur the overhead
>>of crypto?). However, it's not clear if you really mean this
>>("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so,
>>what exactly is the intention here?
>>
>>In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS-
>>Communication will be required" is overly restrictive. And this section
>>includes this statement: "The Profile mandates that there be no anonymous
>>communication. To ensure interoperability, only X.509 certificate-based
>>authentication is permitted by the Profile.") So, this latter part in
>>particular says that there is *NO PLACE* for password authentication in OGSA.
>>(I also believe that you have now outlawed MyProxy, right?)
>>
>>Am I reading something incorrectly?
>>
>>-- Marty
>>
>>Marty Humphrey
>>Assistant Professor
>>Department of Computer Science
>>University of Virginia
>>
>>
>>
>>
>>-------------------------------------------------
>>This mail sent through IMP: http://horde.org/imp/
>>
>
>
>
>
More information about the ogsa-wg
mailing list