Re: Proposed issue; Visibility of Web services from Miles Sabin on 2003-07-16 (www-tag@w3.org from July 2003)

From: Miles Sabin <miles@milessabin.com>
Date: Wed, 16 Jul 2003 11:02:30 +0100
To: www-tag@w3.org
Message-Id: <200307161102.30683.miles@milessabin.com>

Mark Baker wrote,
> I believe the answer is that Fred is at fault.  He, in effect,
> attempted to bypass the security policies established by his
> employer, which are intended to protect the corporate intranet.

I'm with you this far.

> In other words, he assumed that visibility is not important to his IT 
> department, and they disagree.

That doesn't follow from the security policy you specified earlier. You 
said,

> But then a few weeks later, when the Large Co IT department learns
> that a non-publically specified & verified, potentially insecure
> application interface is being tunneled through their firewall, they
> shut down his system.

Which presumably implies that the security policy is,

  No protocol shall be tunnelled through our firewall unless it has been
  publicly specified and verified and believed to be secure.

  [FWIW, I think this is a lousy policy, but never mind]

Stated this way, the policy doesn't obviously require visibility, nor is 
visibility sufficient to meet it's goals. Visibility isn't required, 
because, eg. HTTP over SSL/TLS meets the goals (both are publicly 
specified and believed to be relevantly secure) yet visibility stops at 
the SSL/TLS layer. And visibility isn't sufficient because a use of a 
protocol which is secure in the abstract might be insecure as 
implemented (eg. Fred's SSL/TLS or HTTP implementation might have 
remotely exploitable buffer overflow vulnerabilities).

What would be needed for Fred's application to meet the policy? Fred 
could show the WSDL to his IT department and have them inspect his 
implementation. Assuming they find both acceptable, then nothing more 
needs to be done (in particular, no message inspection on the firewall 
would be necessary to meet the policy requirements as specified). If 
Fred's system were shut down at this point it would be the IT 
department which was at fault.

So I think you need to tweak the specification of the security policy if 
you want it to imply a visibility requirement. Ideally you'd do that in 
a non-circular way (ie. the policy shouldn't flat out state that 
visibility is a requirement) and without too much collateral damage 
(eg. it'd be unfortunate if it ruled out the use of SSL/TLS).

Cheers,


Miles

Received on Wednesday, 16 July 2003 06:02:37 UTC