W3C home > Mailing lists > Public > www-ws-arch@w3.org > May 2002

Evaluating the Web wrt D-AG004

From: Mark Baker <distobj@acm.org>
Date: Wed, 8 May 2002 21:29:46 -0400
To: Christopher Ferris <chris.ferris@sun.com>
Cc: www-ws-arch@w3.org
Message-ID: <20020508212946.E25058@www.markbaker.ca>
On Wed, May 08, 2002 at 04:38:12PM -0400, Christopher Ferris wrote:
> by all means, please do so.

Security is one of the areas where currently deployed standards could
do with some beefing up.  Consider my request a place holder for some
of the other "areas" which already have mostly complete solutions in
use today, such as Reliability.

But I will go through the provisionally accepted D-AG004
requirements/CSFs to point out how Web architecture and the Web
addresses each one (or not);

AC006.1 - no documented threat model, just an implicit one
AC006.4 - has a security framework, on a per resource basis (more below)
D-AR006.2.1 - per resource authentication, as realized in HTTP
authentication (which is extensible; e.g. basic, digest)
D-AR006.2.2 - "data authentication" via content signing, ala
multipart/signed
D-AR006.3 - authorization implemented behind authentication interface.
Different models can be supported behind this single interface, but no
identified need to interop at any deeper level (e.g. sharing ACLs)
D-AR006.4 - confidentiality via multipart/encrypted or TLS, as two
examples
D-AR006.5 - data integrity via headers such as Content-MD5
D-AR006.6 - non-repudiation via multipart/encrypted

MB
--
Mark Baker, Chief Science Officer, Planetfred, Inc.
Ottawa, Ontario, CANADA.      mbaker@planetfred.com
http://www.markbaker.ca   http://www.planetfred.com
Received on Wednesday, 8 May 2002 21:22:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:24:59 GMT