Hi Marty, Your post raised another issue for me. When I looked at the Security section in the OGSA WSRF BP I half expected to see recommendations on signing WS-Addressing headers. WSRF has a dependence on WS-Addressing and it is hard to create secure signed SOAP messages without signing the information that is supplied by WS-Addressing (wsa:To, wsa:From, wsa:MessageID, wsa:ReplyTo etc) but there is no current profile that deals with the signing of WS-Addressing headers (perhaps I missed one?). I would expect OASIS or WS-I to produce a security profile that includes WS-Addressing but it looks like a hole in the OGSA WSRF BP security section to me. cheers Mark ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mark Mc Keown RSS Mark.McKeown@man.ac.uk Manchester Computing +44 161 275 0601 University of Manchester ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Thu, 14 Jul 2005 humphrey@cs.virginia.edu wrote:
I assume that this document has not entered public comment, so I'll post my comments here regarding security. I'm afraid that these are largely the SAME comments that I've made before.
Here are my specific concerns...
The security section (section 8.1) implies that *EVERY* SOAP message must be either (1) over TLS or (2) "SOAP Message security with XML signature and/or XML Encryption". If you truly mean this (implied by "R0811"), this is overly restrictive and makes no sense (there does not exist *ANY* message that can justifiably be sent between services/clients that need not incur the overhead of crypto?). However, it's not clear if you really mean this ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so, what exactly is the intention here?
In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS- Communication will be required" is overly restrictive. And this section includes this statement: "The Profile mandates that there be no anonymous communication. To ensure interoperability, only X.509 certificate-based authentication is permitted by the Profile.") So, this latter part in particular says that there is *NO PLACE* for password authentication in OGSA. (I also believe that you have now outlawed MyProxy, right?)
Am I reading something incorrectly?
-- Marty
Marty Humphrey Assistant Professor Department of Computer Science University of Virginia
------------------------------------------------- This mail sent through IMP: http://horde.org/imp/