RE: AC006.1: Threat model [..] for Web service endpoints and thei r communication from Ahmed, Zahid on 2002-05-03 (www-ws-arch@w3.org from May 2002)

From: Ahmed, Zahid <zahid.ahmed@commerceone.com>
Date: Thu, 2 May 2002 18:06:27 -0700
To: www-ws-arch@w3.org
Message-ID: <C1E0143CD365A445A4417083BF6F42CC02F89094@C1plenaexm07.commerceone.com>

>>What about security in say a registry of services?
>If the registry manifests itself as a web service endpoint,
>>then it's covered.


This may not be completely true.

The security problem domain of a web service enabled 
Registry may be different than the general web 
services applications. 

I guess for now it is satisfactory to assume that
such types of web services application security model 
is partially defined as part of its own domain (e.g.,
UDDI Regsitry Security Reqmnts, ebXML Registry Security
Reqmnts, where a range of security assurance, data 
protection and privacy requirements have been identified). 


Zahid Ahmed

 


-----Original Message-----
From: Joseph Hui [mailto:jhui@digisle.net]
Sent: Thursday, May 02, 2002 5:47 PM
To: Hugo Haas; www-ws-arch@w3.org
Subject: RE: AC006.1: Threat model [..] for Web service endpoints and
their communication


> -----Original Message-----
> From: Hugo Haas [mailto:hugo@w3.org]
> Sent: Thursday, May 02, 2002 12:13 PM
> To: www-ws-arch@w3.org
> Subject: AC006.1: Threat model [..] for Web service endpoints 
> and their
> communication
> 
> 
> AC006.1 reads:
> 
> | AC006.1 The construction of a Web Services Threat Model based on
> | thorough analysis of existing and foreseeable threats to Web service
> | endpoints and their communication.
> 
> Is the threat model consideration is limited to endpoints and their
> communication? 

Pretty much so.  (You may want to refer to the WS Threat Model I
wrote in a previous msg prior to the F2F.  I didn't get around to finish
it, but the gist is there.)

> What is the implication of this?

The world will have well secured web services, along with fresh air
and clean water, mom and apple pie, ...  :-).

> What about security in say a registry of services?

If the registry manifests itself as a web service endpoint,
then it's covered.

Cheers,

Joe Hui
Exodus, a Cable & Wireless service
===============================================================
> 
> Regards,
> 
> Hugo
> 
> -- 
> Hugo Haas - W3C
> mailto:hugo@w3.org - http://www.w3.org/People/Hugo/ - 
> tel:+1-617-452-2092
> 
>

Received on Thursday, 2 May 2002 21:06:41 UTC