Hi Marty and Takuya, Your first comment was also deliberated and accepted. The minutes says;
The profile as it stand does not allow non-encrypted messages or channels.
There are cases when one would not want either, e.g., large data transfers that may cause performance degradation. Also depending on the environment it might be acceptable to not encrypt (e.g., operating within enterprise (behind firewall)).
(If corruption is the issue then signatures and not encryption is appropriate.)
Consensus on softening the requirement: - Change l.466 'requires' to 'recommends' - And also change transport level compliance statements R0811-14 from MUST to SHOULD.
http://tinyurl.com/5fxfd/minutes-20050718/en/1 We hope it covers your concern. Thank you again for your comments ---- Hiro Kishimoto Takuya Mori wrote:
Marty,
This message is regarding with your second comment.
We discussed your comment and agreed to change the MUST requirement in the non-normative description to SHOULD in section 8.1.2. Please confirm the change in the latest draft document.
By the way, during the call, we have found another problem in the mutual auth description. The problem is that the description that allows ONLY an X.509 certificate to be a security token, which we had been overlooked, might be too restrictive. We continue discussing on this point.
We will tell you the result of the discussion.
Thank you, Takuya
From: humphrey@cs.virginia.edu Subject: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security) Date: Thu, 14 Jul 2005 21:09:28 -0400
I assume that this document has not entered public comment, so I'll post my comments here regarding security. I'm afraid that these are largely the SAME comments that I've made before.
Here are my specific concerns...
The security section (section 8.1) implies that *EVERY* SOAP message must be either (1) over TLS or (2) "SOAP Message security with XML signature and/or XML Encryption". If you truly mean this (implied by "R0811"), this is overly restrictive and makes no sense (there does not exist *ANY* message that can justifiably be sent between services/clients that need not incur the overhead of crypto?). However, it's not clear if you really mean this ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so, what exactly is the intention here?
In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS- Communication will be required" is overly restrictive. And this section includes this statement: "The Profile mandates that there be no anonymous communication. To ensure interoperability, only X.509 certificate-based authentication is permitted by the Profile.") So, this latter part in particular says that there is *NO PLACE* for password authentication in OGSA. (I also believe that you have now outlawed MyProxy, right?)
Am I reading something incorrectly?
-- Marty
Marty Humphrey Assistant Professor Department of Computer Science University of Virginia
------------------------------------------------- This mail sent through IMP: http://horde.org/imp/