[ogsa-wg] Strawman "OGSA Express Authentication Profile" Security Profiles
Duane Merrill
dgm4d at virginia.edu
Tue Jun 5 16:25:37 CDT 2007
Thanks for the insightful comments, Blair. I've embedded some of my
responses to your comments regarding the three profile documents below;
I'll see if I can get Andrew to address your considerations regarding
the use-case document as well.
Regards,
Duane
Blair Dillaway wrote:
>
>
>
> SP 2.0 -- Secure Addressing
>
>
>
> I believe the new mechanism being proposed for communication
> authentication and communication security requirements is
> counterproductive. Major industry players have already invested a lot
> of time in developing WS-SecurityPolicy (see WS-SecurityPolicy 1.2 ,
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512) which is on
> a standards track in OASIS. This makes it unlikely you will find broad
> interest in developing or implementing the mechanism you propose. I
> also feel such a mechanism, which is specific to communication as part
> of an EPR, is too limiting. The flexibility to support other
> mechanisms such as WSDL, WS-MetadataExchange, etc. are important for
> broad adoption.
>
>
>
> I therefore suggest you profile WS-SecurityPolicy for interoperability
> across the grid use cases of interest. This can include how it should
> be encoded within an EPR. I would also suggest the interop profile for
> communicating this information be in one document rather than having
> pieces spread over three different specs as in these drafts.
>
Interesting point. WS-SecurityPolicy does appear to provide what we're
looking to augment the EPR with, in terms of being able to conveying
secure communication requirements (and ancillary tokens). Our concern
with WS-SecurityPolicy has been the ambiguity of its status within the
WS-SX technical committee.
Our meta-goal is to establish uniform mechanism for grouping all of the
required information that one party needs for communication within one
vehicle. From our perspective, the EPR is a great fit (it already
contains an address URI, reference parameters, etc.). The missing
piece, with respect to EPRs, is the lack of mechanism for conveying
secure communication requirements (and ancillary tokens). Profiling
WS-SecurityPolicy in a non-EPR-specific manner may help other mechanisms
(as you mention, WSDL, or WS-MetadataExchange) to serve as means to our
ends. Specifics for EPR, WSDL, and WS-MetadataExchange could then
leverage such common WS-SecurityPolicy requirements.
>
>
> SP 2.0-Secure Transport
>
>
>
> I suggest removing the 'secure addressing' parts per my comments
> above. If that is done, I am concerned this spec comes across as
> little more than a profile of WS-I BSP transport security that says
> 'don't use weak cipher suites'. I fear people may have trouble seeing
> the value or why OGSA BSP -- Secure Channel isn't adequate. I think
> you should consider a different approach to packaging these specs
> and/or including a very succinct description of the value provided by
> this spec in the introduction.
>
This separation of this document from the others reflects a separation
of concerns. Profiles such as the WS-I BSP have chosen to profile many
semi-orthogonal specifications within one document. We argue that this
is not an ideal approach as maintaining, evolving, and supporting
profiles for the different components becomes less intuitive for profile
designers and implementers alike. (Analogous to OO design principles
where derived classes are further refinements of their parents, and one
strives to keep the abstractions coherent.)
Specifically, the Secure Transport document serves to
* Establish a common identifier for a particular type of transport
requirement
* Establish processing rules for an extended form of hostname
verification
* Restrict allowable ciphersuites (a feature entirely inherited from
this document's predecessor, the OGSA Security Profile - Secure
Channel document.)
>
> SP 2.0 -- Secure SOAP Messaging
>
>
>
> I think a big part of the problem is flipping back and forth between
> requirements predicated on the presence or absence of 'message
> forwarding intermediaries'. It might be easier if the material were
> organized based on the two possible messaging models.
>
Point taken.
>
>
>
> Some specific comments:
>
> - Given the behaviors are based on the presence of message
> forwarding intermediaries, you really need to be precise in defining
> this. I expect you mean the case where the sender is transmitting a
> message to an end-point which it knows is not the ultimate recipient
> for the message body. I suspect you don't consider a transparent
> firewall or router to be an intermediary.
>
A reasonable request.
>
> - I strongly suggest you include a brief definition of
> CRITICAL_SIGNING and CRITICAL_ENCRYPTION. You already mention what
> should be signed or encrypted and adding the supported algorithms
> would aid the reader in understanding what is required without having
> to go find the material in the WS-I BSP.
>
The document defines the CRITICAL_SIGNING and CRITICAL_ENCRYPTION
conformance targets in the "Conformance Targets" section. The intent of
referring the reader to the WS-I BSP for more specifics regarding the
details for signing/encryption requirements is, again, an intentional
application of separation of concerns.
>
> - I question the requirement to encrypt of all messages. I
> really think you need to articulate the explicit use cases you are
> supporting that make this essential.
>
By no means does this document require the encryption of all messages.
Rather, it defines a mechanism for an EPR to convey that a /particular
/service requires encryption of all messages sent to /it/. (Many
services may not have this requirement, and their endpoint references
will reflect its absence.)
>
> - Section 7 has seemingly contradictory requirements. I can
> quess at what you meant, but it would be better if you clarified it.
> First, you say not to use username tokens " C0701 -- Username Token
> credentials *SHOULD NOT be used for message level authentication*
> because they are not cryptographically verifiable. Then 7.2 says to
> use them for message sender authN "This subsection describes the
> *secure messaging requirements for message /SENDER/s authenticating*
> to /RECIEVER/s using Username Token credentials...... R0702 -- Message
> /SENDER/s MUST place the UsernameToken credential in the message
> header in accordance with the WSS UTP and Section 11 of the WS-I BSP."
>
Again, these are message processing rules that are to be carried out iff
the endpoint reference indicates that particular action as a requirement
for the referenced endpoint.
____________________________
Duane Merrill
dgm4d at cs.virginia.edu <mailto:dgm4d at cs.virginia.edu>
UVa Computer Science Department
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/ogsa-wg/attachments/20070605/c1cf5cbd/attachment.html
More information about the ogsa-wg
mailing list