RE: AC006.1: Threat model [..] for Web service endpoints and thei r communication from Joseph Hui on 2002-05-03 (www-ws-arch@w3.org from May 2002)

From: Joseph Hui <jhui@digisle.net>
Date: Thu, 2 May 2002 18:22:47 -0700
To: "Ahmed, Zahid" <zahid.ahmed@commerceone.com>, <www-ws-arch@w3.org>
Message-ID: <C153D39717E5F444B81E7B85018A460B0668595B@ex-sj-5.digisle.com>

> -----Original Message-----
> From: Ahmed, Zahid [mailto:zahid.ahmed@commerceone.com]
> Sent: Thursday, May 02, 2002 6:06 PM
> To: www-ws-arch@w3.org
> Subject: RE: AC006.1: Threat model [..] for Web service endpoints and
> thei r communication
> 
> 
> >>What about security in say a registry of services?
> >If the registry manifests itself as a web service endpoint,
> >>then it's covered.
> 
> 
> This may not be completely true.

I'd agree off the cuff. My paint stroke might have been too broad.
We do need to flesh out this further when the time comes.

BTW, does UDDI plan to do its own security for the UBR?
Anybody cares to comment.  (I haven't tracked UDDI for sometime.)

Joe Hui
Exodus, a Cable & Wireless service
===================================================

> The security problem domain of a web service enabled 
> Registry may be different than the general web 
> services applications. 
> 
> I guess for now it is satisfactory to assume that
> such types of web services application security model 
> is partially defined as part of its own domain (e.g.,
> UDDI Regsitry Security Reqmnts, ebXML Registry Security
> Reqmnts, where a range of security assurance, data 
> protection and privacy requirements have been identified). 
> 
> 
> Zahid Ahmed
> 
>  
> 
> 
> -----Original Message-----
> From: Joseph Hui [mailto:jhui@digisle.net]
> Sent: Thursday, May 02, 2002 5:47 PM
> To: Hugo Haas; www-ws-arch@w3.org
> Subject: RE: AC006.1: Threat model [..] for Web service endpoints and
> their communication
> 
> 
> > -----Original Message-----
> > From: Hugo Haas [mailto:hugo@w3.org]
> > Sent: Thursday, May 02, 2002 12:13 PM
> > To: www-ws-arch@w3.org
> > Subject: AC006.1: Threat model [..] for Web service endpoints 
> > and their
> > communication
> > 
> > 
> > AC006.1 reads:
> > 
> > | AC006.1 The construction of a Web Services Threat Model based on
> > | thorough analysis of existing and foreseeable threats to 
> Web service
> > | endpoints and their communication.
> > 
> > Is the threat model consideration is limited to endpoints and their
> > communication? 
> 
> Pretty much so.  (You may want to refer to the WS Threat Model I
> wrote in a previous msg prior to the F2F.  I didn't get 
> around to finish
> it, but the gist is there.)
> 
> > What is the implication of this?
> 
> The world will have well secured web services, along with fresh air
> and clean water, mom and apple pie, ...  :-).
> 
> > What about security in say a registry of services?
> 
> If the registry manifests itself as a web service endpoint,
> then it's covered.
> 
> Cheers,
> 
> Joe Hui
> Exodus, a Cable & Wireless service
> ===============================================================
> > 
> > Regards,
> > 
> > Hugo
> > 
> > -- 
> > Hugo Haas - W3C
> > mailto:hugo@w3.org - http://www.w3.org/People/Hugo/ - 
> > tel:+1-617-452-2092
> > 
> > 
> 
>

Received on Thursday, 2 May 2002 21:23:17 UTC