W3C home > Mailing lists > Public > www-ws-arch@w3.org > April 2002

FW: The Web Services Threat Model

From: Krishna Sankar <ksankar@cisco.com>
Date: Sun, 7 Apr 2002 11:50:24 -0700
To: <www-ws-arch@w3.org>
Message-ID: <009801c1de65$14b5b380$aa867ed8@amer.cisco.com>
I had solicited internal comments on our discussions thru internal
mailer. Here is one from Ricky Ho on threat model.

cheers

 | -----Original Message-----
 <snip ../>
 | Subject: Re: The Web Services Threat Model
 | 
 | 
 | Thanks Krishna, this is a good start ... some suggestions for
improvement 
 | as follows ...
 | (please forward my feedback to the w3c workgroup, thanks !)
 | 
 | In the threat model described in the mail, it hasn't highlight those 
 | threats which a "transport-layer" protocol like SSL doesn't solve.
(so far 
 | it hasn't justified the need to address those threats at the web
service 
 | level).
 | 
 | The threat model hasn't talked about the "time" dimension which is 
 | important in the dynamic nature of web services.  (E.g. certain
information 
 | is valid within certain time period, or the authority is designated
within 
 | a certain period).  And one of the threat is how the hackers extend
that 
 | time period.
 | 
 | The coverage of the underlying communication model (which the threat
model 
 | base on) is kind of "incomplete".  Besides the most basic
communication 
 | pattern, the following are important ones that are missing.
 | 
 | 1) Dynamic "route"
 | In this case, the client cannot determine the whole route before it
sends 
 | its request, and it delegates some of the decisions to subsequent 
 | intermediaries.  So the threat model should look at the trust issue
under 
 | the delegation scenario.
 | 
 | 2) Conversation
 | In real life B2B scenario, the communication is not a one-off
invocation 
 | but rather "dialog based".  There are multiple web services
invocations 
 | which are correlated under a certain context.  So the threat model
should 
 | look at the whole context rather than just individual invocation.
 | 
 | 3) Asynchronous service invocation
 | The characteristic is that there is no "output" from any service
because 
 | the response will come back from a separate reverse invocation.  This
can 
 | be considered a special case of conversation.
 | 
 | 4) Multicast invocation
 | In this case, the sender doesn't know who is the ultimate receiver
(or is 
 | there any of them).
 | 
 | Best regards,
 | Ricky
 | 
 | At 07:57 AM 4/6/2002 -0800, Krishna Sankar wrote:
 | >Good first cut in articulating the threat model for web services.
 | >Comments are welcome.
 | >
 | >cheers
 | >
 | >  | -----Original Message-----
 | >  | From: www-ws-arch-request@w3.org
 | >  | [mailto:www-ws-arch-request@w3.org] On Behalf Of Joseph Hui
 | >  | Sent: Friday, April 05, 2002 8:01 PM
 | >  | To: www-ws-arch@w3.org
 | >  | Subject: The Web Services Threat Model
 | >  |
<snip ../>
Received on Sunday, 7 April 2002 14:51:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:24:57 GMT