[ogsa-wg] Questions on OGSA WSRF Basic Profile 1.0

Marty Humphrey humphrey at cs.virginia.edu
Fri Jun 10 08:34:20 CDT 2005 

A little more broadly, I don't quite understand the justification for *ANY*
mention of security in OGSA WSRF Basic Profile beyond "see WS-I Basic
Security Profile v 1.0". If the authors felt that there was something
specific in the WSRF rendering, that might be one thing, but I don't
particularly see that in the text. 

Let me put this another way: The reader who is not intimately involved with
WSRF reads this and wonders "Why are they possibly doing this? Isn't WS-I
Basic Security Profile sufficient to 'secure' Web services? Are they saying
that WS-I Basic Security Profile is INSUFFICIENT? Then why don't they say
this directly? Are they instead just repeating some things in WS-I Basic
Security Profile? For what reason? If so, then why can't they just say
this?"

The reader somewhat more involved/cognizant immediately comes around to what
Mark points out. That is, as one of my guys puts it after reading the doc: 

"On the security front, SSL and mutual authentication is required
everywhere. It seems strange that SSL is required even if WS-Security
message level encryption is used. In some cases might you want to allow
anonymous access or not care about encryption? I think, maybe yes. I'm not
sure how much is gained by restricting flexibility here. Certainly not
interop, since interop is always best without security."

I'd like to hear more of the justification for this, as Mark points out (as
others wonder as well, I'm sure).

-- Marty

Marty Humphrey
Assistant Professor
Department of Computer Science
University of Virginia


> -----Original Message-----
> From: owner-ogsa-wg at ggf.org [mailto:owner-ogsa-wg at ggf.org] On Behalf Of
> Mark McKeown
> Sent: Friday, June 10, 2005 9:11 AM
> To: ogsa-wg at gridforum.org
> Subject: [ogsa-wg] Questions on OGSA WSRF Basic Profile 1.0
> 
> 
> Hi folks,
>          Sorry if these are dumb questions...
> 
>          I was looking through WSRF Basic Profile 1.0,
> (Revised: Friday, June 10, 2005).
> 
> > Section 9.1.1 Mandated Secure Transport
> 
> "All messages are subject to interference and corruption during
> transmission. The Profile mandates secure transmission of
> messages."
> 
> Is there a reference that makes this case?
> 
> I have looked at the WS-I document "Security Challenges, Threats
> and Countermeasures"
> http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf
> which indicates that message level security is OK for many threats.
> 
> 
> WSRF & ACID
> 
> Section 7 of Web Service Resource Properties 1.2 discusses
> ACID and WSRF - a WSRF implementor can choose a concurrency
> policy with regard to updating and retrieving resource properties,
> so two implementations of a WS-Resource with the same operations
> and PropertiesDocument could actually have different behaviour
> leading to interoperability issues for clients - is this any area
> for a WSRF profile to address?
> 
> thanks
> Mark
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Mark Mc Keown                            RSS
> Mark.McKeown at man.ac.uk 	                 Manchester Computing
> +44 161 275 0601     		         University of Manchester
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the ogsa-wg mailing list