RE: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)

18 Jul 2005

      Hi Dave,

I'm very sorry, but I cannot make the call today. I'm traveling. 

-- Marty
...
-----Original Message-----
From: David Snelling [mailto:David.Snelling@uk.fujitsu.com]
Sent: Friday, July 15, 2005 5:14 AM
To: humphrey@cs.virginia.edu
Cc: ogsa-wg@ggf.org
Subject: Re: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically
security)
Marty,
Your interpretation of the profile is correct. On several occasions we
have discussed this very issue and each time the conclusion has been
consistent with the current draft. If you think the case for relaxing
the profile is stronger now than on earlier calls and F2F meetings, we
should schedule a time when you can make the call. Hiro tell me that
the BP is on the agenda for Monday's call. Can you make it?
Note the the profile dose not outlaw myProxy to GSI and anything else.
It just says that for interoperability, these published standard
techniques MUST/SHOULD/MAY be supported by compliant systems. The
systems can and will use other techniques. In Unicore/GS we will
continue to use the proprietary UPL/ETDF framework while also
supporting the BP.
Talk to you on Monday (if I can stay awake).
On 15 Jul 2005, at 2:09, humphrey@cs.virginia.edu wrote:
...
I assume that this document has not entered public comment, so I'll
post my
comments here regarding security. I'm afraid that these are largely
the SAME
comments that I've made before.
Here are my specific concerns...
The security section (section 8.1) implies that *EVERY* SOAP message
must be
either (1) over TLS or (2) "SOAP Message security with XML signature
and/or
XML Encryption". If you truly mean this (implied by "R0811"), this is
overly
restrictive and makes no sense (there does not exist *ANY* message
that can
justifiably be sent between services/clients that need not incur the
overhead
of crypto?). However, it's not clear if you really mean this
("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply
otherwise)... so,
what exactly is the intention here?
In general, section 8.1.2 is too restrictive -- "mutual-authenticated
WS-
Communication will be required" is overly restrictive. And this section
includes this statement: "The Profile mandates that there be no
anonymous
communication. To ensure interoperability, only X.509 certificate-based
authentication is permitted by the Profile.") So, this latter part in
particular says that there is *NO PLACE* for password authentication
in OGSA.
(I also believe that you have now outlawed MyProxy, right?)
Am I reading something incorrectly?
-- Marty
Marty Humphrey
Assistant Professor
Department of Computer Science
University of Virginia
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
--
Take care:
Dr. David Snelling < David . Snelling . UK . Fujitsu . com >
     Fujitsu Laboratories of Europe
     Hayes Park Central
     Hayes End Road
     Hayes, Middlesex  UB4 8FE
+44-208-606-4649 (Office)
     +44-208-606-4539 (Fax)
     +44-7768-807526  (Mobile)