A little more broadly, I don't quite understand the justification for *ANY* mention of security in OGSA WSRF Basic Profile beyond "see WS-I Basic Security Profile v 1.0". If the authors felt that there was something specific in the WSRF rendering, that might be one thing, but I don't particularly see that in the text. Let me put this another way: The reader who is not intimately involved with WSRF reads this and wonders "Why are they possibly doing this? Isn't WS-I Basic Security Profile sufficient to 'secure' Web services? Are they saying that WS-I Basic Security Profile is INSUFFICIENT? Then why don't they say this directly? Are they instead just repeating some things in WS-I Basic Security Profile? For what reason? If so, then why can't they just say this?" The reader somewhat more involved/cognizant immediately comes around to what Mark points out. That is, as one of my guys puts it after reading the doc: "On the security front, SSL and mutual authentication is required everywhere. It seems strange that SSL is required even if WS-Security message level encryption is used. In some cases might you want to allow anonymous access or not care about encryption? I think, maybe yes. I'm not sure how much is gained by restricting flexibility here. Certainly not interop, since interop is always best without security." I'd like to hear more of the justification for this, as Mark points out (as others wonder as well, I'm sure). -- Marty Marty Humphrey Assistant Professor Department of Computer Science University of Virginia
-----Original Message----- From: owner-ogsa-wg@ggf.org [mailto:owner-ogsa-wg@ggf.org] On Behalf Of Mark McKeown Sent: Friday, June 10, 2005 9:11 AM To: ogsa-wg@gridforum.org Subject: [ogsa-wg] Questions on OGSA WSRF Basic Profile 1.0
Hi folks, Sorry if these are dumb questions...
I was looking through WSRF Basic Profile 1.0, (Revised: Friday, June 10, 2005).
Section 9.1.1 Mandated Secure Transport
"All messages are subject to interference and corruption during transmission. The Profile mandates secure transmission of messages."
Is there a reference that makes this case?
I have looked at the WS-I document "Security Challenges, Threats and Countermeasures" http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf which indicates that message level security is OK for many threats.
WSRF & ACID
Section 7 of Web Service Resource Properties 1.2 discusses ACID and WSRF - a WSRF implementor can choose a concurrency policy with regard to updating and retrieving resource properties, so two implementations of a WS-Resource with the same operations and PropertiesDocument could actually have different behaviour leading to interoperability issues for clients - is this any area for a WSRF profile to address?
thanks Mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mark Mc Keown RSS Mark.McKeown@man.ac.uk Manchester Computing +44 161 275 0601 University of Manchester ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~