RE: "Onion model" explained from Hal Lockhart on 2002-07-10 (www-ws-arch@w3.org from July 2002)

From: Hal Lockhart <hal.lockhart@entegrity.com>
Date: Wed, 10 Jul 2002 17:41:21 -0400
To: "'Joseph Hui'" <Joseph.Hui@exodus.net>, www-ws-arch@w3.org
Message-ID: <899128A30EEDD1118FC900A0C9C74A3401034171@bigbird.gradient.com>

Apparently I am on the www-ws-arch mailing list, so you don't have to add me
explicitly.

With respect to the onion model, my question was not so much what it was, as
how was it relevant to the three STF objectives. This was explained as
relating to the charter requirements objective, which answered my question.

With respect to the priority, I know it is unreasonable to expect to convert
the world to my thinking overnight, but I will take the opportunity to
introduce my views. 

I now firmly believe that Authorization, while a significant technical
problem, is not a fundamental service. The ONLY purpose of Authentication is
to provide inputs to other security services such as Confidentiality,
Integrity, Authorization and Audit Trail.

For current purposes I will settle for consensus around the idea that
"Authentication without Authorization is insufficient". This is what major
end users and industry gurus have been saying for the last five years or so.

Hal

> -----Original Message-----
> From: Joseph Hui [mailto:Joseph.Hui@exodus.net]
> Sent: Wednesday, July 10, 2002 3:14 PM
> To: www-ws-arch@w3.org
> Cc: hal.lockhart@entegrity.com
> Subject: "Onion model" explained
> 
> 
> Hi all,
> 
> During today's STF telcon I took an action item to
> explain in the mailing list what the "onion model"
> that we sometimes referred to in the WG's security
> related threads was about.
> 
> So here it goes.
> 
> The "Onion model," for the lack of a better term, is in
> essence a grouping of the WSAWG sec reqs for the benefit
> of prioritizing them for a phased approach in delivering
> our sec solutions/standards.  (The phased approach came
> about inconsideration of the time-to-market factor often
> recited in the WSAWG's discussions.)
> 
> The model comprises, in descending priority:
> 
>    Layer 1) Confidentiality, (Data) Integrity, Authentication;
> 
>          2) Authorization;
> 
>          3) Non-repudiation;
> 
>          4) Accessibility
> 
>          5) The remainder of the WSAWG sec requirements,
>             including Auditing.
> 
>    Note that a phase may consist of one or more laysers.
>    E.g. the first phase may include layer 1 only, or
>    layers 1 & 2, dependent upon future decisions.
> 
> Cheers,
> 
> Joe Hui
> Exodus, a Cable & Wireless service
>

Received on Wednesday, 10 July 2002 17:42:03 UTC