[ogsa-wg] secure channel profile explanatory ciphersuite statements
Andreas Savva
andreas.savva at jp.fujitsu.com
Tue Oct 3 21:18:49 CDT 2006
The Security Profile - Secure Channel (Sep 28 draft) has a set of
statements, which elaborate on the compliance statements, along the
lines of "Ciphersuites listed in Table 3 in TLS-Guideline [TLS
Guidelines] meet criteria of R0XXX." We discussed these statements last
Thursday and it was stated that such statements are not intended to be
normative. I took an action to rewrite the text to make it clearer that
these are not normative statements.
The problem I have after looking at the text again (incl the compliance
statements) and also looking at the WS-I BSP is that it does not help
people wishing to implement the Secure Channel profile if these
statements are not normative and if they do not describe concretely
which suites should be used (or not). Saying 'do not use known insecure
suites' or 'only use secure ones' are motherhood statements. In any case
they are not really testable which is one point of compliance statements.
Also the WS-I BSP has some discussion and normative statements in
sec.3.2 about TLS/SSL ciphersuites and since the Secure Channel states
that it "extends the WS-I Basic Security Profile 1.0" I became unsure
about the relation of the various compliance statements in the Secure
Channel and the statements in the WS-I BSP is.
In short, sorry, can't do. I am not a security person... ;-)
Maybe we should discuss this issue again on the next call this Thursday.
(Dave? Alan? Takuya? Frank!)
Andreas
More information about the ogsa-wg
mailing list