[ogsa-wg] Fwd: OGSA EAP Security profiles: Final call for comments
David Snelling
David.Snelling at UK.Fujitsu.com
Thu Dec 6 08:20:00 CST 2007
Forwarded:
Begin forwarded message:
> From: Sven van den Berghe <Sven.vandenBerghe at uk.fujitsu.com>
> Date: 29 November 2007 15:39:39 GMT
> To: dgm4d at virginia.edu
> Cc: Michel Drescher <Michel.Drescher at UK.Fujitsu.com>, David
> Snelling <David.Snelling at UK.Fujitsu.com>
> Subject: Re: [ogsa-wg] OGSA EAP Security profiles: Final call for
> comments
>
> Duane,
>
> Dave Snelling suggested that I look over these documents. I have
> the following comments which I hope you don't mind me making.
>
> Secure Addressing:
>
> C0302 Is there anyway to strengthen this from SHOULD towards MUST?
> I guess that the SHOULD covers situations without a PKI
> infrastructure and other ways of trusting the source of EPRs, but
> allowing for this edge case does reduce the security/
> trustworthiness that is provided by strict conformance to the profile.
>
> Secure Communication:
>
> I have concerns about supplying the certificate in the document.
> You rightly make disclaimers warning that the source and
> transmission path needs to be trusted, but in actual use I wonder
> if this chain of trust will be maintained with proper diligence by
> the creators of the consuming software? I can see that it is
> convenient and, when properly implemented, will be very useful, but
> it does have the potential of causing security problems in poor
> implementations.
>
> In various places throughout the document you say that a server
> certificate is provided for "hostname verification" (e.g. line
> 454). I think that this is restrictive as the certificate
> authenticates the server and not just the name of the remote host
> that gives you access to the server. I think that these statements
> could be rephrased.
>
> TYPO: Section B.2 the numbering of the code fragment is not right
> (continues from previous fragment)?
>
>
> Regards,
>
> Sven
>
> Sven.vandenBerghe at uk.fujitsu.com
> Fujitsu Laboratories of Europe
> +44 208 606 4651
>
>
>
> On 27 Nov 2007, at 15:27, David Snelling wrote:
>
>> Guys,
>>
>> Now is a good time for you two to have a look at these. For non-
>> delegation based security these should cover most authentication
>> level activity and provide the mechanism for carrying
>> authorization content.
>>
>> Begin forwarded message:
>>
>>> From: "Duane Merrill III" <dgm4d at virginia.edu>
>>> Date: 27 November 2007 14:17:48 GMT
>>> To: <ogsa-wg at ggf.org>
>>> Subject: [ogsa-wg] OGSA EAP Security profiles: Final call for
>>> comments
>>>
>>> Hi,
>>>
>>> The OGSA WG's "express authentication profiles" (Secure
>>> Addressing 1.0 and Secure Communication 1.0) are now available
>>> for any final comments before submission to the OGF Editor.
>>> You’ll find a copy of the documents (drafts 005) at https://
>>> forge.ogf.org/sf/go/projects.ogsa-wg/
>>> docman.root.working_drafts.security_profiles_use_case. If you
>>> have comments please let me have them by the end of Sunday,
>>> December 2nd.
>>>
>>> Thanks!
>>>
>>> - Duane
>>>
>>> --
>>> ogsa-wg mailing list
>>> ogsa-wg at ogf.org
>>> http://www.ogf.org/mailman/listinfo/ogsa-wg
>>
>> --
>>
>> Take care:
>>
>> Dr. David Snelling < David . Snelling . UK . Fujitsu . com >
>> Fujitsu Laboratories of Europe Limited
>> Hayes Park Central
>> Hayes End Road
>> Hayes, Middlesex UB4 8FE
>> Reg. No. 4153469
>>
>> +44-208-606-4649 (Office)
>> +44-7768-807526 (Mobile)
>>
>>
>>
>
--
Take care:
Dr. David Snelling < David . Snelling . UK . Fujitsu . com >
Fujitsu Laboratories of Europe Limited
Hayes Park Central
Hayes End Road
Hayes, Middlesex UB4 8FE
Reg. No. 4153469
+44-208-606-4649 (Office)
+44-7768-807526 (Mobile)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/ogsa-wg/attachments/20071206/2e7e8b81/attachment-0001.html
More information about the ogsa-wg
mailing list