From: Sven van den Berghe <Sven.vandenBerghe@uk.fujitsu.com>

Date: 29 November 2007 15:39:39 GMT

To: dgm4d@virginia.edu

Cc: Michel Drescher <Michel.Drescher@UK.Fujitsu.com>, David Snelling <David.Snelling@UK.Fujitsu.com>

Subject: Re: [ogsa-wg] OGSA EAP Security profiles: Final call for comments

Duane,

 Dave Snelling suggested that I look over these documents. I have the following comments which I hope you don't mind me making.

Secure Addressing:

C0302 Is there anyway to strengthen this from SHOULD towards MUST? I guess that the SHOULD covers situations without a  PKI infrastructure and other ways of trusting the source of EPRs, but allowing for this edge case does reduce the security/trustworthiness that is provided by strict conformance to the profile.

Secure Communication:

I have concerns about supplying the certificate in the document. You rightly make disclaimers warning that the source and transmission path needs to be trusted, but in actual use I wonder if this chain of trust will be maintained with proper diligence by the creators of the consuming software? I can see that it is convenient and, when properly implemented, will be very useful, but it does have the potential of causing security problems in poor implementations.

In various places throughout the document you say that a server certificate is provided for "hostname verification" (e.g. line 454). I think that this is restrictive as the certificate authenticates the server and not just the name of the remote host that gives you access to the server. I think that these statements could be rephrased.

TYPO: Section B.2 the numbering of the code fragment is not right (continues from previous fragment)?

Regards,

Sven

Sven.vandenBerghe@uk.fujitsu.com

Fujitsu Laboratories of Europe

+44 208 606 4651

On 27 Nov 2007, at 15:27, David Snelling wrote:

Guys,

Now is a good time for you two to have a look at these. For non-delegation based security these should cover most authentication level activity and provide the mechanism for carrying authorization content.

Begin forwarded message:

From: "Duane Merrill III" <dgm4d@virginia.edu>

Date: 27 November 2007 14:17:48 GMT

To: <ogsa-wg@ggf.org>

Subject: [ogsa-wg] OGSA EAP Security profiles: Final call for comments

Hi,

The OGSA WG's "express authentication profiles" (Secure Addressing 1.0 and Secure Communication 1.0) are now available for any final comments before submission to the OGF Editor.  You’ll find a copy of the documents (drafts 005) at https://forge.ogf.org/sf/go/projects.ogsa-wg/docman.root.working_drafts.security_profiles_use_case. If you have comments please let me have them by the end of Sunday, December 2nd.

Thanks!

- Duane

--

  ogsa-wg mailing list

  ogsa-wg@ogf.org

  http://www.ogf.org/mailman/listinfo/ogsa-wg

-- 

Take care:

    Dr. David Snelling < David . Snelling . UK . Fujitsu . com >

    Fujitsu Laboratories of Europe Limited

    Hayes Park Central

    Hayes End Road

    Hayes, Middlesex  UB4 8FE

    Reg. No. 4153469

    +44-208-606-4649 (Office)

    +44-7768-807526  (Mobile)