OGSA Teleconference - 28 September 2006 ======================================= * Participants Jem Treadwell (HP) Alan Sill (TTU) Andreas Savva (Fujitsu) Takuya Mori (NEC) Hiro Kishimoto (Fujitsu) Chris Kantarjiev (Oracle) Chris Jordan (SDSC) Michel Drescher (Fujitsu) Minutes: Chris Jordan, Hiro Kishimoto, Andreas Savva (ed) * Summary of new actions AI-0928a: Takuya will issue a final call on BSP-Core on the list. AI-0928b: Takuya will get another opinion on TLS 1.1 and ciphersuites (probably ask Frank Siebenlist) AI-0928c: Andreas will propose new text for the reference to the NIST document to make it clearer that it is an informative statement * Skipped minutes approval and action review due to initial lack of quorum * Roadmap 1.1 discussion Chris Jordan began by discussing the state of the document as it is on gridforge at the moment, focusing primarily on the fact that there are now several documents which are complete, published as GFDs, and do not necessarily have a schedule for subsequent versions. The primary OGSA documents fit into this category. This reinforces the notion that we need to keep published documents in the main body of the Roadmap, rather than moving them to an appendix. Hiro noted that there was no descriptive text for the OGSA Architecture and Glossary documents in their entries in Section 3, and took the action to provide some text. (This action has been completed.) Chris J also noted that while Mike Behrens has written some material addressing the underlying web services specifications, he has not included it, partially because with the introduction of the WS-ResourceTransfer family of specifications, it is not clear whether these need to be addressed and to what extent. (It was not discussed where, precisely, this material should go, but it will be discussed in the next Roadmap call. Leaning towards an appendix.) Hiro agreed that this was an important point, and it was agreed that there would be some mention of the existence of these specifications, and that it would merely be stated that the OGSA and related groups would address them with profiles or other work as necessary, and as the evolution of WS-RT implementations continues. Chris J noted that he's still having trouble getting updated status and descriptive text from all the document authors, and that as a result, some of the dates in the document currently on gridforge represent educated guesses rather than hard information. He will continue trying to get more information from the relevant working groups. Jem pointed out that the document needs to be updated to conform to the new OGF Document template recently posted on gridforge. There was a brief discussion of the complexity of this task, which led to the agreement that Chris J will perform the transition to the new template as part of the next round of changes. Hiro suggested that the "OGSA document structure" figure used in several presentations is useful in section 2.0. Hiro will send the latest figure to Chris J for consideration. [Completed.] * Basic Security Profile - Core review Takuya explained Andreas and he revised the text for keyinfo on page 5. The new text looks good and there are no farther comments on this profile draft. It was agreed to proceed to a final call on the list. Takuya will accept all modifications in the document and upload to GridForge. AI-0928a: Takuya will issue a final call on BSP-Core on the list. * Security Profile - Secure Channel review - l.222-3: Takuya added reference to a table in a NIST document. The proposal is that this is a good table to refer to for ciphersuires and key lengths. - Alan said that the table is not far from current practice and is a good reference. But it only recommends (SHOULD) 1024-bit keys while in (their) current guidelines 2048-bit keys are required (MUST). - Michel pointed out this reference is misplaced here since the NIST table discusses algorithms while the compliance statements are about authentication. It may be better to refer to a different table, if one exists. - Agreed to delete lines 222-3. - Also discussed whether there should be a statement that TLS offers this (authentication) feature already. Takuya will consider adding some text here. - l.230-236: New text looks fine - l.246: New text looks fine. - The table does include SHA1 for which potential compromises have been shown. Other guidelines recommend SHA256, etc. - Discussed again the applicability of the reference to the NIST document. Any security reference dealing with such information is bound to become obsolete. This document was published in 2005. - Considered a specific expiration statement for the Profile document. OGF does not have process for expiring documents and it is not clear what is current anyway. - Considered modifying the statement to say "at time of publication"; and to also make a forward statement that the reference may be superseded by a newer version if one becomes available. - Considered making separate statements to modify recommended key lengths, etc. (Decided in a previous call not to do this.) - Alan mentioned that IETF has done some work on a newer set of ciphersuites (for TLS 1.1). But it is not clear how well adopted that is. - Clarified that the reference to the NIST table is informative. - Agreed to change the text to make it clearer that this reference is not a normative statement. And possibly to add references to other more recent work as well as a forward statement. - It was mentioned that TLS 1.1 obsoletes TLS 1.0. The Profile however is intended to also take into account current adoption levels. It is not clear how widely implemented TLS 1.1 is. AI-0928b: Takuya will get another opinion on TLS 1.1 and ciphersuites (probably ask Frank Siebenlist) - l.161 The conformance URI should be changed from 'bsp' to 'sp' to be in line with the new title. AI-0928c: Andreas will propose new text for the reference to the NIST document to make it clearer that it is an informative statement Takuya will prepare a new version. Since there are a number of unresolved issues the Secure Channel will not go to final call until the issues raised during this review are closed. There is a security discussion scheduled for next Thursday (Oct 5). Confirm status at that time.