[ogsa-wg] Questions on OGSA WSRF Basic Profile 1.0

Tom Maguire tmaguire at us.ibm.com
Fri Jun 10 11:30:48 CDT 2005 

> Let me put this another way: The reader who is not intimately involved
with
> WSRF reads this and wonders "Why are they possibly doing this? Isn't WS-I
> Basic Security Profile sufficient to 'secure' Web services? Are they
saying
> that WS-I Basic Security Profile is INSUFFICIENT? Then why don't they say
> this directly? Are they instead just repeating some things in WS-I Basic
> Security Profile? For what reason? If so, then why can't they just say
> this?"

We are not saying that BSP is not sufficient to secure Web services.
The problem is that strictly speaking you can be WS-BSP conformant
and have no security.  The conformance requirements are there to
'require' all OGSA BP compliant services to provide a security.

> The reader somewhat more involved/cognizant immediately comes around to
what
> Mark points out. That is, as one of my guys puts it after reading the
doc:
>
> "On the security front, SSL and mutual authentication is required
> everywhere. It seems strange that SSL is required even if WS-Security
> message level encryption is used. In some cases might you want to allow
> anonymous access or not care about encryption? I think, maybe yes. I'm
not
> sure how much is gained by restricting flexibility here. Certainly not
> interop, since interop is always best without security."

I'll leave this discussion to others who are more eloquent on these
requirements.

> I'd like to hear more of the justification for this, as Mark points out
(as
> others wonder as well, I'm sure).
>
> -- Marty
>
> Marty Humphrey
> Assistant Professor
> Department of Computer Science
> University of Virginia
>
>
> > -----Original Message-----
> > From: owner-ogsa-wg at ggf.org [mailto:owner-ogsa-wg at ggf.org] On Behalf Of
> > Mark McKeown
> > Sent: Friday, June 10, 2005 9:11 AM
> > To: ogsa-wg at gridforum.org
> > Subject: [ogsa-wg] Questions on OGSA WSRF Basic Profile 1.0
> >
> >
> > Hi folks,
> >          Sorry if these are dumb questions...
> >
> >          I was looking through WSRF Basic Profile 1.0,
> > (Revised: Friday, June 10, 2005).
> >
> > > Section 9.1.1 Mandated Secure Transport
> >
> > "All messages are subject to interference and corruption during
> > transmission. The Profile mandates secure transmission of
> > messages."
> >
> > Is there a reference that makes this case?
> >
> > I have looked at the WS-I document "Security Challenges, Threats
> > and Countermeasures"
> > http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf
> > which indicates that message level security is OK for many threats.
> >
> >
> > WSRF & ACID
> >
> > Section 7 of Web Service Resource Properties 1.2 discusses
> > ACID and WSRF - a WSRF implementor can choose a concurrency
> > policy with regard to updating and retrieving resource properties,
> > so two implementations of a WS-Resource with the same operations
> > and PropertiesDocument could actually have different behaviour
> > leading to interoperability issues for clients - is this any area
> > for a WSRF profile to address?
> >
> > thanks
> > Mark
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Mark Mc Keown                            RSS
> > Mark.McKeown at man.ac.uk                     Manchester Computing
> > +44 161 275 0601                    University of Manchester
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
>

More information about the ogsa-wg mailing list