[ogsa-wg] Draft, Informational, Security Profile

Blair Dillaway blaird at microsoft.com
Thu Mar 8 15:31:32 CST 2007 

Mark, Duane,

I won't be at the F2F, so wanted to provide some comments now. I do generally agree with your assessment presented in Section 2 and the need for additional work.

1. I have discussed the motivating use cases for OGSA-BSP Core with Frank Siebenlist. This was developed to support validation of the desired TLS/SSL server where the server cert doesn't contain info corresponding to the service location. I happen to think standardizing on such a mechanism may be more important when using message-level security, but that may require some additional work as you mention.

2. With regard to your HPC Basic Profile comments in 2.3. Its important to remember the primary motivation for the specified security mechanisms was to support near term interoperability between the different implementers consistent with the HPC base use case. Waiting for a more general solution to be developed was not a viable option.

3. There is likely to be significant overlap between what you propose in Section 3 of this document and the deliverables of the OGSA-AuthN WG based on the BoF at OGF19.  In particular, it was agreed one of the deliverables should be SOAP message WS-Security profiles for conveying the various types of authentication and supporting credentials needed for grid use cases. As with your proposal, this would be WS-I BSP security conformant.  I therefore strongly urge you to integrate your proposed work on "a straightforward application of the WS-I BSP's SOAP messaging security considerations to the grid domain" and "OGSA BSP-SC profile to reflect an approach similar to the current HPC-BP" into the OGSA-AuthN proposed deliverable.

The "endpoint reference security considerations" you wish to profile, also seem in scope of the OGSA-AuthN effort. If you are willing to work on these, I see no reason we shouldn't include a deliverable for this work in the charter currently being prepared. I'd rather see us build AuthN related critical mass in a single WG rather than split this across multiple WGs.

4. I hope that last sentence in your email doesn't imply writing a new standard that is "consistent with Globus GT 4" is a goal? The goal should be to develop a standard providing a basis for interoperability across  a variety of grid middleware solutions. I hope Globus is one of those, but there's not much point in the effort if that's the only implementation.

Regards,
Blair Dillaway
Security AD

> -----Original Message-----
> From: ogsa-wg-bounces at ogf.org [mailto:ogsa-wg-bounces at ogf.org] On
> Behalf Of Mark Morgan
> Sent: Thursday, March 08, 2007 5:02 AM
> To: ogsa-wg at ggf.org
> Subject: [ogsa-wg] Draft, Informational, Security Profile
>
> Ladies and Gentlemen,
>
> Please find attached a draft copy of an informational document
> detailing a recommendation that the GBG group at the University of
> Virginia would like to discuss next week at the OGSA F2F.  To the best
> of our knowledge, based on documents sent by Mr. Ian Foster, this
> document describes ways of filling in gaps that exist in the current
> OGSA security documents that are consistent with Globus GT 4.
>
> -Mark and Duane
>
> --
> Mark Morgan
> Research Scientist
> Department of Computer Science
> University of Virginia
> http://www.cs.virginia.edu
> mmm2a at virginia.edu
> (434) 982-2047

More information about the ogsa-wg mailing list