Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)
I assume that this document has not entered public comment, so I'll post my comments here regarding security. I'm afraid that these are largely the SAME comments that I've made before. Here are my specific concerns... The security section (section 8.1) implies that *EVERY* SOAP message must be either (1) over TLS or (2) "SOAP Message security with XML signature and/or XML Encryption". If you truly mean this (implied by "R0811"), this is overly restrictive and makes no sense (there does not exist *ANY* message that can justifiably be sent between services/clients that need not incur the overhead of crypto?). However, it's not clear if you really mean this ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so, what exactly is the intention here? In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS- Communication will be required" is overly restrictive. And this section includes this statement: "The Profile mandates that there be no anonymous communication. To ensure interoperability, only X.509 certificate-based authentication is permitted by the Profile.") So, this latter part in particular says that there is *NO PLACE* for password authentication in OGSA. (I also believe that you have now outlawed MyProxy, right?) Am I reading something incorrectly? -- Marty Marty Humphrey Assistant Professor Department of Computer Science University of Virginia ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
humphrey@cs.virginia.edu wrote:
The security section (section 8.1) implies that *EVERY* SOAP message must be either (1) over TLS or (2) "SOAP Message security with XML signature and/or XML Encryption". If you truly mean this (implied by "R0811"), this is overly restrictive and makes no sense (there does not exist *ANY* message that can justifiably be sent between services/clients that need not incur the overhead of crypto?). However, it's not clear if you really mean this ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so, what exactly is the intention here?
Certainly when it comes to information systems and how they are used by things like the RSS, there is a significant fraction of useful interaction that can be done completely unencrypted within a particular security domain (I had it argued to me that uses within a domain don't need to be standardized at all, which is theoretically true but life doesn't really seem to work like that; unifying the sorts of interfaces supported both internally and externally is a big win). For example, consider the looking up of non-user-specific information about the general configuration of resources. On the other hand, requiring that services support such access (at least potentially, even if a particular instances doesn't) is OK with me, as is a strong recommendation that anything carrying user-specific info (the majority of interactions, I presume) should be protected over the wire. Donal.
Marty, Your interpretation of the profile is correct. On several occasions we have discussed this very issue and each time the conclusion has been consistent with the current draft. If you think the case for relaxing the profile is stronger now than on earlier calls and F2F meetings, we should schedule a time when you can make the call. Hiro tell me that the BP is on the agenda for Monday's call. Can you make it? Note the the profile dose not outlaw myProxy to GSI and anything else. It just says that for interoperability, these published standard techniques MUST/SHOULD/MAY be supported by compliant systems. The systems can and will use other techniques. In Unicore/GS we will continue to use the proprietary UPL/ETDF framework while also supporting the BP. Talk to you on Monday (if I can stay awake). On 15 Jul 2005, at 2:09, humphrey@cs.virginia.edu wrote:
I assume that this document has not entered public comment, so I'll post my comments here regarding security. I'm afraid that these are largely the SAME comments that I've made before.
Here are my specific concerns...
The security section (section 8.1) implies that *EVERY* SOAP message must be either (1) over TLS or (2) "SOAP Message security with XML signature and/or XML Encryption". If you truly mean this (implied by "R0811"), this is overly restrictive and makes no sense (there does not exist *ANY* message that can justifiably be sent between services/clients that need not incur the overhead of crypto?). However, it's not clear if you really mean this ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so, what exactly is the intention here?
In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS- Communication will be required" is overly restrictive. And this section includes this statement: "The Profile mandates that there be no anonymous communication. To ensure interoperability, only X.509 certificate-based authentication is permitted by the Profile.") So, this latter part in particular says that there is *NO PLACE* for password authentication in OGSA. (I also believe that you have now outlawed MyProxy, right?)
Am I reading something incorrectly?
-- Marty
Marty Humphrey Assistant Professor Department of Computer Science University of Virginia
------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
-- Take care: Dr. David Snelling < David . Snelling . UK . Fujitsu . com > Fujitsu Laboratories of Europe Hayes Park Central Hayes End Road Hayes, Middlesex UB4 8FE +44-208-606-4649 (Office) +44-208-606-4539 (Fax) +44-7768-807526 (Mobile)
Can you briefly recount the arguments for making message security required? I would tend to agree with Marty on this point, for two reasons. First, I think there are a variety of services (or operations) that can be done anonymously, such as some information services. Second, the cost of security in terms of performance can be very high, so to mandate it even when its not needed seems a bit extreme. -Steve On Jul 15, 2005, at 4:13 AM, David Snelling wrote:
Marty,
Your interpretation of the profile is correct. On several occasions we have discussed this very issue and each time the conclusion has been consistent with the current draft. If you think the case for relaxing the profile is stronger now than on earlier calls and F2F meetings, we should schedule a time when you can make the call. Hiro tell me that the BP is on the agenda for Monday's call. Can you make it?
Note the the profile dose not outlaw myProxy to GSI and anything else. It just says that for interoperability, these published standard techniques MUST/SHOULD/MAY be supported by compliant systems. The systems can and will use other techniques. In Unicore/GS we will continue to use the proprietary UPL/ETDF framework while also supporting the BP.
Talk to you on Monday (if I can stay awake).
On 15 Jul 2005, at 2:09, humphrey@cs.virginia.edu wrote:
I assume that this document has not entered public comment, so I'll post my comments here regarding security. I'm afraid that these are largely the SAME comments that I've made before.
Here are my specific concerns...
The security section (section 8.1) implies that *EVERY* SOAP message must be either (1) over TLS or (2) "SOAP Message security with XML signature and/or XML Encryption". If you truly mean this (implied by "R0811"), this is overly restrictive and makes no sense (there does not exist *ANY* message that can justifiably be sent between services/clients that need not incur the overhead of crypto?). However, it's not clear if you really mean this ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so, what exactly is the intention here?
In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS- Communication will be required" is overly restrictive. And this section includes this statement: "The Profile mandates that there be no anonymous communication. To ensure interoperability, only X.509 certificate-based authentication is permitted by the Profile.") So, this latter part in particular says that there is *NO PLACE* for password authentication in OGSA. (I also believe that you have now outlawed MyProxy, right?)
Am I reading something incorrectly?
-- Marty
Marty Humphrey Assistant Professor Department of Computer Science University of Virginia
------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
--
Take care:
Dr. David Snelling < David . Snelling . UK . Fujitsu . com > Fujitsu Laboratories of Europe Hayes Park Central Hayes End Road Hayes, Middlesex UB4 8FE
+44-208-606-4649 (Office) +44-208-606-4539 (Fax) +44-7768-807526 (Mobile)
Hi Dave, I'm very sorry, but I cannot make the call today. I'm traveling. -- Marty
-----Original Message----- From: David Snelling [mailto:David.Snelling@uk.fujitsu.com] Sent: Friday, July 15, 2005 5:14 AM To: humphrey@cs.virginia.edu Cc: ogsa-wg@ggf.org Subject: Re: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security)
Marty,
Your interpretation of the profile is correct. On several occasions we have discussed this very issue and each time the conclusion has been consistent with the current draft. If you think the case for relaxing the profile is stronger now than on earlier calls and F2F meetings, we should schedule a time when you can make the call. Hiro tell me that the BP is on the agenda for Monday's call. Can you make it?
Note the the profile dose not outlaw myProxy to GSI and anything else. It just says that for interoperability, these published standard techniques MUST/SHOULD/MAY be supported by compliant systems. The systems can and will use other techniques. In Unicore/GS we will continue to use the proprietary UPL/ETDF framework while also supporting the BP.
Talk to you on Monday (if I can stay awake).
On 15 Jul 2005, at 2:09, humphrey@cs.virginia.edu wrote:
I assume that this document has not entered public comment, so I'll post my comments here regarding security. I'm afraid that these are largely the SAME comments that I've made before.
Here are my specific concerns...
The security section (section 8.1) implies that *EVERY* SOAP message must be either (1) over TLS or (2) "SOAP Message security with XML signature and/or XML Encryption". If you truly mean this (implied by "R0811"), this is overly restrictive and makes no sense (there does not exist *ANY* message that can justifiably be sent between services/clients that need not incur the overhead of crypto?). However, it's not clear if you really mean this ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so, what exactly is the intention here?
In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS- Communication will be required" is overly restrictive. And this section includes this statement: "The Profile mandates that there be no anonymous communication. To ensure interoperability, only X.509 certificate-based authentication is permitted by the Profile.") So, this latter part in particular says that there is *NO PLACE* for password authentication in OGSA. (I also believe that you have now outlawed MyProxy, right?)
Am I reading something incorrectly?
-- Marty
Marty Humphrey Assistant Professor Department of Computer Science University of Virginia
------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
--
Take care:
Dr. David Snelling < David . Snelling . UK . Fujitsu . com > Fujitsu Laboratories of Europe Hayes Park Central Hayes End Road Hayes, Middlesex UB4 8FE
+44-208-606-4649 (Office) +44-208-606-4539 (Fax) +44-7768-807526 (Mobile)
Hi Marty, Thank you for your comment. I am answering on your second point in this message. I think our intention on the requirement level to the mutual authentication is same with you. Although the informational description of the constraints is described by using the words "will be required", the constraints which are normative statements state that the requirements are "SHOULD" which is one level looser than "MUST". I think we can change the word "required" to "recommended" in the informational sentence, if it is confusing. Thank you, Takuya Mori From: humphrey@cs.virginia.edu Subject: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security) Date: Thu, 14 Jul 2005 21:09:28 -0400
I assume that this document has not entered public comment, so I'll post my comments here regarding security. I'm afraid that these are largely the SAME comments that I've made before.
Here are my specific concerns...
The security section (section 8.1) implies that *EVERY* SOAP message must be either (1) over TLS or (2) "SOAP Message security with XML signature and/or XML Encryption". If you truly mean this (implied by "R0811"), this is overly restrictive and makes no sense (there does not exist *ANY* message that can justifiably be sent between services/clients that need not incur the overhead of crypto?). However, it's not clear if you really mean this ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so, what exactly is the intention here?
In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS- Communication will be required" is overly restrictive. And this section includes this statement: "The Profile mandates that there be no anonymous communication. To ensure interoperability, only X.509 certificate-based authentication is permitted by the Profile.") So, this latter part in particular says that there is *NO PLACE* for password authentication in OGSA. (I also believe that you have now outlawed MyProxy, right?)
Am I reading something incorrectly?
-- Marty
Marty Humphrey Assistant Professor Department of Computer Science University of Virginia
------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
Hi Marty, Your post raised another issue for me. When I looked at the Security section in the OGSA WSRF BP I half expected to see recommendations on signing WS-Addressing headers. WSRF has a dependence on WS-Addressing and it is hard to create secure signed SOAP messages without signing the information that is supplied by WS-Addressing (wsa:To, wsa:From, wsa:MessageID, wsa:ReplyTo etc) but there is no current profile that deals with the signing of WS-Addressing headers (perhaps I missed one?). I would expect OASIS or WS-I to produce a security profile that includes WS-Addressing but it looks like a hole in the OGSA WSRF BP security section to me. cheers Mark ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mark Mc Keown RSS Mark.McKeown@man.ac.uk Manchester Computing +44 161 275 0601 University of Manchester ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Thu, 14 Jul 2005 humphrey@cs.virginia.edu wrote:
I assume that this document has not entered public comment, so I'll post my comments here regarding security. I'm afraid that these are largely the SAME comments that I've made before.
Here are my specific concerns...
The security section (section 8.1) implies that *EVERY* SOAP message must be either (1) over TLS or (2) "SOAP Message security with XML signature and/or XML Encryption". If you truly mean this (implied by "R0811"), this is overly restrictive and makes no sense (there does not exist *ANY* message that can justifiably be sent between services/clients that need not incur the overhead of crypto?). However, it's not clear if you really mean this ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so, what exactly is the intention here?
In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS- Communication will be required" is overly restrictive. And this section includes this statement: "The Profile mandates that there be no anonymous communication. To ensure interoperability, only X.509 certificate-based authentication is permitted by the Profile.") So, this latter part in particular says that there is *NO PLACE* for password authentication in OGSA. (I also believe that you have now outlawed MyProxy, right?)
Am I reading something incorrectly?
-- Marty
Marty Humphrey Assistant Professor Department of Computer Science University of Virginia
------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
Marty, This message is regarding with your second comment. We discussed your comment and agreed to change the MUST requirement in the non-normative description to SHOULD in section 8.1.2. Please confirm the change in the latest draft document. By the way, during the call, we have found another problem in the mutual auth description. The problem is that the description that allows ONLY an X.509 certificate to be a security token, which we had been overlooked, might be too restrictive. We continue discussing on this point. We will tell you the result of the discussion. Thank you, Takuya From: humphrey@cs.virginia.edu Subject: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security) Date: Thu, 14 Jul 2005 21:09:28 -0400
I assume that this document has not entered public comment, so I'll post my comments here regarding security. I'm afraid that these are largely the SAME comments that I've made before.
Here are my specific concerns...
The security section (section 8.1) implies that *EVERY* SOAP message must be either (1) over TLS or (2) "SOAP Message security with XML signature and/or XML Encryption". If you truly mean this (implied by "R0811"), this is overly restrictive and makes no sense (there does not exist *ANY* message that can justifiably be sent between services/clients that need not incur the overhead of crypto?). However, it's not clear if you really mean this ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so, what exactly is the intention here?
In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS- Communication will be required" is overly restrictive. And this section includes this statement: "The Profile mandates that there be no anonymous communication. To ensure interoperability, only X.509 certificate-based authentication is permitted by the Profile.") So, this latter part in particular says that there is *NO PLACE* for password authentication in OGSA. (I also believe that you have now outlawed MyProxy, right?)
Am I reading something incorrectly?
-- Marty
Marty Humphrey Assistant Professor Department of Computer Science University of Virginia
------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
Hi Marty and Takuya, Your first comment was also deliberated and accepted. The minutes says;
The profile as it stand does not allow non-encrypted messages or channels.
There are cases when one would not want either, e.g., large data transfers that may cause performance degradation. Also depending on the environment it might be acceptable to not encrypt (e.g., operating within enterprise (behind firewall)).
(If corruption is the issue then signatures and not encryption is appropriate.)
Consensus on softening the requirement: - Change l.466 'requires' to 'recommends' - And also change transport level compliance statements R0811-14 from MUST to SHOULD.
http://tinyurl.com/5fxfd/minutes-20050718/en/1 We hope it covers your concern. Thank you again for your comments ---- Hiro Kishimoto Takuya Mori wrote:
Marty,
This message is regarding with your second comment.
We discussed your comment and agreed to change the MUST requirement in the non-normative description to SHOULD in section 8.1.2. Please confirm the change in the latest draft document.
By the way, during the call, we have found another problem in the mutual auth description. The problem is that the description that allows ONLY an X.509 certificate to be a security token, which we had been overlooked, might be too restrictive. We continue discussing on this point.
We will tell you the result of the discussion.
Thank you, Takuya
From: humphrey@cs.virginia.edu Subject: [ogsa-wg] Comments on OGSA WSRF BP 1.0 draft 25 (specifically security) Date: Thu, 14 Jul 2005 21:09:28 -0400
I assume that this document has not entered public comment, so I'll post my comments here regarding security. I'm afraid that these are largely the SAME comments that I've made before.
Here are my specific concerns...
The security section (section 8.1) implies that *EVERY* SOAP message must be either (1) over TLS or (2) "SOAP Message security with XML signature and/or XML Encryption". If you truly mean this (implied by "R0811"), this is overly restrictive and makes no sense (there does not exist *ANY* message that can justifiably be sent between services/clients that need not incur the overhead of crypto?). However, it's not clear if you really mean this ("R0819", "R0820", "R0821", "R0822", "R0823" seem to imply otherwise)... so, what exactly is the intention here?
In general, section 8.1.2 is too restrictive -- "mutual-authenticated WS- Communication will be required" is overly restrictive. And this section includes this statement: "The Profile mandates that there be no anonymous communication. To ensure interoperability, only X.509 certificate-based authentication is permitted by the Profile.") So, this latter part in particular says that there is *NO PLACE* for password authentication in OGSA. (I also believe that you have now outlawed MyProxy, right?)
Am I reading something incorrectly?
-- Marty
Marty Humphrey Assistant Professor Department of Computer Science University of Virginia
------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
participants (8)
-
David Snelling -
Donal K. Fellows -
Hiro Kishimoto -
humphrey@cs.virginia.edu -
Mark McKeown -
Marty Humphrey
-
Steve Tuecke -
Takuya Mori