Folks,

 

Thanks again for all of your hard work for the Supercomputing demo last month. I believe that we now have a new HPC Basic Profile that reflects our collective experiences, at least in regard to security.

 

More precisely, I have uploaded a new draft of the “HPC Basic Profile” to forge.ogf.org. The *only* modification is the inclusion of a “Security Considerations” section based on our collective experiences of the SC2006 interopfest. I encourage you to read it at: http://forge.ggf.org/sf/docman/do/downloadDocument/projects.ogsa-hpcp-wg/docman.root.drafts.hpc_basic_profile/doc13736/5

 

Note: I remind everyone that the “HPC Basic Profile” corresponds to the “Base Case” of the use-case/requirements document (http://www.ggf.org/Public_Comment_Docs/Documents/Aug-2006/draft-ggf-ogsa-hpcp-use-cases-02.pdf); correspondingly, the “security considerations” of this “HPC Basic Profile” doc essentially only covers this “Base Case” as well. The “Common Cases” are NOT specifically addressed.

 

For those of you who cannot immediately read this, the essence of the HPC Basic Profile “Security Considerations” in this draft is as follows:

 

R0501: An INSTANCE MUST support TLS 1.0, SHOULD support SSL 3.0, and SHOULD support TLS 1.1.

R0502: An INSTANCE MUST support the FIPS-140 compliant ciphersuites.

R0503: An INSTANCE MUST support TLS_RSA_WITH_AES_128_CBC_SHA.

R0504: An INSTANCE MUST support service authentication using X.509 certificates using RSA cryptographic keys and the SHA-1 digest algorithm.

R0505: An INSTANCE MUST support either client authentication using username/password credentials or X.509 certificates using RSA cryptographic keys and the SHA-1 digest algorithm.

R0506: An INSTANCE must use TLS/SSL encryption key agreement based on the RSA algorithm. Diffie-Helman key agreement shall not be used.

R0507: Client authentication based on username/password must use a password digest and conform to the Web Services SecurityUsername Token Profile 1.1.

 

We encourage comments/questions on these 7 requirements/mandates, both on this email list and on the call this Friday (11am Eastern).

 

However, *BEFORE* raising a question or concern on this list above, *PLEASE* read the document first, as the document has a fairly detailed (for a technical recommendation) explanation/justification. Your questions might possibly be answered in this doc.

 

I also note that this is a *DRAFT*, so there’s plenty of time/room for discussion on this!

 

See you on the call on Friday. This security section will be the main topic.

 

-- Marty