Friday, November 10, 2006

Taverna and Security

What does Taverna need to support security?

Read over 200 pages of WS-* specs to try and understand what is required for Taverna to support security. The horror, the horror.

Taverna is a workflow tool that came out of the MyGrid project that
has got a lot of good press. We are thinking about using it for the NanoCMOS project. Unfortunately Taverna doesn't do security, and we have a strong requirement for security; the good news is that they are working on it!

Downloaded and played with Taverna, and it looks pretty good.
Noticed that many of the services for which Taverna is pre-configured have lots of get* type operations. We need one GET to rule them all!

I have been asked to look into what is needed by Taverna to support
security given my experience implementing WS-Security for Perl.
Beyond support for WS-Security, WS-SecureConversation and HTTPS it looks like the following specs are important:

WS-Addressing (signed SOAP Headers for end-2-end security, also
policy can be stuck in the  meta-data of the WS-Addressing EPRs),

WS-Policy and WS-SecurityPolicy(the language for declaring security policy, I thought this was pretty cool as it included support for saying things like "I want mutual authentication over HTTPS" etc.),

WS-PolicyAttachments
(were you find policy, for example tells you how to extend WSDL to include policy)

WS-MetaDataExchange (policy can be found and retrieved using WS-MEX, unfortunate dependence on WS-RT which is getting a rough reception at the W3C).


Of course WS-SecurityPolicy had no support for declaring policy with
respect to Proxy certificates, more work for the OGF then. Other specs that may have an impact, but which I haven't looked at are
SAML, WS-Trust, and I am sure there are others.


If all this stuff worked and the tools consumed it with eash then it would be pretty powerful stuff, big if though.

3 Comments:

Blogger Dave Berry said...

Mark,

Out of curiosity, what is the status of all these proposals?

As this is a research project, we needn't constrain ourselves to final standards, but we should be aware of possible flux.

Dave.

8:49 AM  
Blogger Mark Mc Keown said...

Dave, unfortunately many of these specs are only at the begining of standardisation.

Really this a Taverna problem, though we can make their life eashier by being consistent in our approach (for example only use one approach to presenting policy, or restricting ourselves to transport layer security). I have talked to the Taverna people and they have already run into the requirement for policy. We are starting to work together to reach common understandings.

8:18 AM  
Blogger John said...

You can really see how Taverna has developed over the last 5 years, things have progressed at an excellent rate. I wonder did you expect this back in 2006, with talk of WS-trusts and proxy and ssl certificates. It's really quite amazing what has been achieved and you deserve credit for being there for the beginning.

1:40 AM  

Post a Comment

<< Home