[ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)

Wed Jul 20 08:30:20 CDT 2005

Hi Marty and Takuya,

Your first comment was also deliberated and accepted.

The minutes says;
>    The profile as it stand does not allow non-encrypted messages or
>    channels.
> 
>    There are cases when one would not want either, e.g., large data
>    transfers that may cause performance degradation. Also depending on
>    the environment it might be acceptable to not encrypt (e.g.,
>    operating within enterprise (behind firewall)).
> 
>    (If corruption is the issue then signatures and not encryption is
>    appropriate.)
> 
>    Consensus on softening the requirement: 
>    - Change l.466 'requires' to 'recommends'
>    - And also change transport level compliance statements R0811-14
>      from MUST to SHOULD.

http://tinyurl.com/5fxfd/minutes-20050718/en/1

We hope it covers your concern.

Thank you again for your comments
----
Hiro Kishimoto

Takuya Mori wrote:
> Marty,
> 
> This message is regarding with your second comment.
> 
> We discussed your comment and agreed to change the MUST requirement
> in the non-normative description to SHOULD in section 8.1.2.  Please 
> confirm the change in the latest draft document.
> 
> By the way, during the call, we have found another problem in the
> mutual auth description.  The problem is that the description
> that allows ONLY an X.509 certificate to be a security token, which
> we had been overlooked, might be too restrictive.  We continue 
> discussing on this point.
> 
> We will tell you the result of the discussion.
> 
> Thank you,
> Takuya
> 
> From: humphrey at cs.virginia.edu
> Subject: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)
> Date: Thu, 14 Jul 2005 21:09:28 -0400
> 
> 
>>I assume that this document has not entered public comment, so I'll post my 
>>comments here regarding security. I'm afraid that these are largely the SAME 
>>comments that I've made before.
>>
>>Here are my specific concerns...
>>
>>The security section (section 8.1) implies that *EVERY* SOAP message must be 
>>either (1) over TLS or (2) "SOAP Message security with XML signature and/or 
>>XML Encryption". If you truly mean this (implied by "R0811"), this is overly 
>>restrictive and makes no sense (there does not exist *ANY* message that can 
>>justifiably be sent between services/clients that need not incur the overhead 
>>of crypto?). However, it's not clear if you really mean this 
>>("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so, 
>>what exactly is the intention here? 
>>
>>In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS-
>>Communication will be required" is overly restrictive. And this section 
>>includes this statement: "The Profile mandates that there be no anonymous 
>>communication. To ensure interoperability, only X.509 certificate-based 
>>authentication is permitted by the Profile.") So, this latter part in 
>>particular says that there is *NO PLACE* for password authentication in OGSA. 
>>(I also believe that you have now outlawed MyProxy, right?)
>>
>>Am I reading something incorrectly?
>>
>>-- Marty
>>
>>Marty Humphrey
>>Assistant Professor
>>Department of Computer Science
>>University of Virginia
>>
>>
>>
>>
>>-------------------------------------------------
>>This mail sent through IMP: http://horde.org/imp/
>>
> 
> 
> 
> 