RE: [STF] Additional security usage scenarios

Hugo,
Attached is the requested document (containing 
summaries of the various usage scenarios 
found in other industry documents).
Regards,
Steve

-----Original Message-----
From: www-ws-arch-request@w3.org [mailto:www-ws-arch-request@w3.org]On
Behalf Of Hugo Haas
Sent: Monday, July 29, 2002 2:30 PM
To: www-ws-arch@w3.org
Cc: Steven A. Monetti
Subject: [STF] Additional security usage scenarios



[ Sorry for the lack of pointers: I am offline. ]

All,

As per my action item, I have reviewed the additional usage scenarios
that Steve Monetti came up with to see how they can be integrated in
the latest version of the usage scenarios document.

Steve gathered those new usage scenarios by looking at other usage
scenarios document. Steve, could you please resend your draft to the
list? Thanks.

Below is my analysis: is the scenario covered by our document? what
action should we take?

|   1. Single Sign-On: Authentication using a Username/Password and
|   Transport-Level Security                                       

S063 covers this topic. However, S063 isn't finished so it needs to be
completed.

=> Finish S063.

|   2. Authentication by a Trusted Party

2 is slightly different from 1, but I believe that it is a variation
of it and should be covered by a (variation of) S063.

=> Write a variation of S063 using a trusted party.

|   3. Confidentiality and Integrity with No Transport Level Security

S064 covers this topic, but it needs to be developed more: it
currently does not have a complete description.

=> Finish S064.

|   4. Authorization Service for Access to a Resource

There isn't a precise authorization usage scenario in the document,
even though authorization is covered by the requirements document.

=> Add an authorization usage scenario.

|   5. Firewall Processing of Messages

This is a particular case of authorization involving an intermediary.
As a general rule, we should probably add a few scenarios underlining
the role of intermediaries, being security-related or not.

=> Look into intermediairies usage scenarios.

|   6. Business Policy Enforcement

This is another particular case of authorization. It is IMO a
combination of several other usage scenarios (authorization,
authentication with tokens) which could be highlighted in one of our
high-level use cases; the travel agent service use case is probably a
good place to do so.

=> Look into putting individual scenarios into context

|   7. Basic Privacy: Use and Disclosure of Personal Information

As I mentioned last week, I added a note in the editors' copy of the
usage scenario document to add a couple of privacy usage scenarios
which will cover this.

=> Add privacy usage scenarios.

|   8. Delegating Trust

I don't believe that this is covered by our document yet.

=> Add scenario about trust delegation.

|   9. Access Control Lists

I don't think that this is covered by our current document. I was
thinking about proposing to it to one of the use cases, but I am still
unsure about it. A usage scenario about ACLs may be in order.

=> Add scenario about ACLs.

|   10. Auditing to Track Security-Related Activities and Incidents

Auditing isn't covered by our document.

=> Add auditing usage scenario.

Regards,

Hugo

-- 
Hugo Haas - W3C
mailto:hugo@w3.org - http://www.w3.org/People/Hugo/ - tel:+1-617-452-2092