W3C home > Mailing lists > Public > www-ws-arch@w3.org > April 2002

RE: The Web Services Threat Model

From: Joseph Hui <jhui@digisle.net>
Date: Thu, 18 Apr 2002 14:53:32 -0700
Message-ID: <C153D39717E5F444B81E7B85018A460B06685912@ex-sj-5.digisle.com>
To: "Krishna Sankar" <ksankar@cisco.com>, <www-ws-arch@w3.org>
Hi Krishna,

Thanks for the feedback from Ricky.
My comments are inlined below.

> From: Krishna Sankar [mailto:ksankar@cisco.com]
> I had solicited internal comments on our discussions thru internal
> mailer. Here is one from Ricky Ho on threat model.
>  | In the threat model described in the mail, it hasn't highlight those 
>  | threats which a "transport-layer" protocol like SSL doesn't solve. 

SSL is a solution.  (It provides end-point Authentication,
data Integrity, and Confidentiality.)  The threat model
is meant to focus on the  problems, i.e. the threats, and
is intentionally aversive to critiquing solutions.
E.g. I could have pointed out that SSL/TLS doesn't do
non-repudiation.  But I'd have also to show IPSec's laundry
list, just to be fair.  Incidentally, I happen to know
SSL/TLS quite well, from its nuts and bolts to where the
bodies are buried, including what SSL/TLS can or cannot do.
So if there's suggestion about the exact locations in the 
draft where the shortcomings of SSL (and/or IPSec) should be
brought to the readers' attention, then let's see what can
be done.  

>  | (so far 
>  | it hasn't justified the need to address those threats at the web service 
>  | level).

IMO one should stay neutral while describing a threat model,
i.e.  present the threats matter-of-factly and refrain from
justifying one way or the other.  The readers can justify for
themselves how threads are to be addressed.  If we were to do it
for them, we should do it in a separate draft.

>  | The threat model hasn't talked about the "time" dimension which is 
>  | important in the dynamic nature of web services.  (E.g. certain information 
>  | is valid within certain time period, or the authority is designated within 
>  | a certain period).  And one of the threat is how the hackers extend that 
>  | time period.

I'm quite puzzled by this "time" dimension.
I can take this as-is and make several guesses and address
each of them.  But I'd rather wait for a concrete example on how
a timeframe can be extended and the WS-specific ramification
before responding to this meaningfully.  

The notion that certain info is of ephemeral value may argue
for the non-need for Perfect Forward Secrecy (PFS) in some cases.
(PFS is widely known and accepted as a desirable property in security.)
But it can't be used to argue for getting by with weaker/cheaper
ciphers (in the case of ephemeral confidentiality) or for
controlling an authz window (in the case of authz time, such
as stretching the expiration limit of a Kerberos ticket.
So what am I missing?

Exactly how would a hacker extend "that time period" (and take
advantage the extension), given that in security, unless stated
otherwise, one assumes confidentiality is desired to last "forever?"
(Recall PFS being a desirable property in security.)

>  | The coverage of the underlying communication model (which 
> the threat
> model 
>  | base on) is kind of "incomplete".  Besides the most basic
> communication 
>  | pattern, the following are important ones that are missing.
>  | 
>  | 1) Dynamic "route"
>  | In this case, the client cannot determine the whole route before it
> sends 
>  | its request, and it delegates some of the decisions to subsequent 
>  | intermediaries.  So the threat model should look at the trust issue
> under 
>  | the delegation scenario.
>  | 
>  | 2) Conversation
>  | In real life B2B scenario, the communication is not a one-off
> invocation 
>  | but rather "dialog based".  There are multiple web services
> invocations 
>  | which are correlated under a certain context.  So the threat model
> should 
>  | look at the whole context rather than just individual invocation.
>  | 
>  | 3) Asynchronous service invocation
>  | The characteristic is that there is no "output" from any service
> because 
>  | the response will come back from a separate reverse 
> invocation.  This
> can 
>  | be considered a special case of conversation.
>  | 
>  | 4) Multicast invocation
>  | In this case, the sender doesn't know who is the ultimate receiver
> (or is 
>  | there any of them).

The coverage may indeed be incomplete.  (I was just firing away
with what comes to mind and then re-organize the contents a bit
for readability.)
There are an infinite number of other things that the threat model
(in a finite form) can't possibly cover.  That said, I suspect many
of the cases that some see as not being covered may actually be some
variants of the exemplary cases being covered.  

If references can be provided for research-grade security papers 
or dissertations on the above four, I'll be glad to check them out.
(Sorry, a broad pointer like "msec for Multicast" won't help. ;-)


Joe Hui
Exodus, a Cable & Wireless service

>  | 
>  | Best regards,
>  | Ricky
>  | 
>  | At 07:57 AM 4/6/2002 -0800, Krishna Sankar wrote:
>  | >Good first cut in articulating the threat model for web services.
>  | >Comments are welcome.
>  | >
>  | >cheers
>  | >
>  | >  | -----Original Message-----
>  | >  | From: www-ws-arch-request@w3.org
>  | >  | [mailto:www-ws-arch-request@w3.org] On Behalf Of Joseph Hui
>  | >  | Sent: Friday, April 05, 2002 8:01 PM
>  | >  | To: www-ws-arch@w3.org
>  | >  | Subject: The Web Services Threat Model
>  | >  |
> <snip ../>
Received on Thursday, 18 April 2002 17:53:39 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:40:55 UTC