- From: Joseph Hui <Joseph.Hui@exodus.net>
- Date: Wed, 8 May 2002 17:09:31 -0700
- To: "Steven A. Monetti" <smonetti@att.com>, "Christopher Ferris" <chris.ferris@sun.com>
- Cc: "Dilber, Ayse, ALASO" <adilber@att.com>, <www-ws-arch@w3.org>
> From: Steven A. Monetti [mailto:smonetti@att.com] [snip] > But, from this perspective what would be a primitive for > security policy? Exactly. That's why security policy was not called out as a "security aspect." BTW, sec prims are not the formal gauge for qualifying something to be a "sec aspect/facet." There's no formal gauge anyway. One could use sec prim pretty much as the gauge in the past, until DOS/DDOS came along. There's no sec prim for DOS, which is a reason why they are so difficult to deal with. But I tend not to think Auditing issues rank equal with DOS issues. Joe Hui Exodus, a Cable & Wireless service ======================================================= > > Steve > > ----- Original Message ----- > From: "Christopher Ferris" <chris.ferris@sun.com> > To: "Joseph Hui" <Joseph.Hui@exodus.net> > Cc: "Dilber, Ayse, ALASO" <adilber@att.com>; <www-ws-arch@w3.org> > Sent: Wednesday, May 08, 2002 6:49 PM > Subject: Re: D-AR006.11 discussion points > > > > Joe, > > > > What is a "security primitive" per se? My understanding of > > security is based on the premise of risks and balanced > > countermeasures based on the level of risk assessed > > for each resource. I have never heard of a "security > > primitive" before so I have no idea how to respond > > to your question. > > > > IMO, auditing as a service *might* be something we > > consider as an important aspect of web services > > security. Or, we might conclude that in terms of priority > > that other countermeasure technologies should be considered > > ahead of auditing. But that's beside the point. > > > > The six "facets" you cite are in fact (IMHO) merely six > > countermeasures which comprise but a subset of the > > total arsenal of countermeasures that might be applied > > to mitigate a risk. Auditing is another, equally valid, > > countermeasure that is (or should be!) often employed > > within the fabric of a secure environment. There are > > other non-technical (and IMHO, far more important) > > countermeasures (management comes to mind, without which > > all the glitzy technicological countermeasures one > > can imagine can be rendered useless overhead) that could > > also be included in the list. > > > > Why is it that you are so adamantly opposed to its (Auditing) > > inclusion in this list? A number of others have chimed in suggesting > > that its inclusion would be "a good thing(tm)". Would you > > be willing to live with its inclusion? > > > > Cheers, > > > > Chris > > > > > > > > Joseph Hui wrote: > > > > >>From: Christopher Ferris [mailto:chris.ferris@sun.com] > > >>Sent: Wednesday, May 08, 2002 2:25 PM > > >>To: Joseph Hui > > >>Cc: Dilber, Ayse, ALASO; www-ws-arch@w3.org > > >>Subject: Re: D-AR006.11 discussion points > > >> > > >> > > >>Joe, > > >> > > >>As with AuthN and AuthZ, it is a countermeasure used > > >>to mitigate a security threat(s) such as when AuthN and > > >>AuthZ have been (somehow) circumvented. It is also > > >>useful to protect against abuse of privileges that > > >>may have been granted. > > >> > > > > > > Chris, > > > > > > I'm well aware of the benefits of auditing -- nuts and > > > bolts and trimmings; and what auditing may mean in various > > > contexts. (Exodus is a well established vendor of Security > > > Audit services, albeit Ayse's notion of Auditing is more > > > like logging and our products cover far more than that.) > > > > > > However, I wouldn't elevate it to a "security aspect/facet" > > > equal to the original six commonly known to security experts. > > > The experts no doubt know what Auditing can mean in the > > > context of security, but wouldn't group it in the company > > > of the original six for sure. > > > > > > Can you think of a security primitive that does Auditing? > > > > > > Cheers, > > > > > > Joe Hui > > > Exodus, a Cable & Wireless service > > > ================================================= > > > > > > > > > > > > > > >>Cheers, > > >> > > >>Chris-sans-chapeau > > >> > > >>Joseph Hui wrote: > > >> > > >> > > >>>>-----Original Message----- > > >>>>From: Dilber, Ayse, ALASO [mailto:adilber@att.com] > > >>>>Sent: Wednesday, May 08, 2002 2:02 PM > > >>>>To: Joseph Hui; Christopher Ferris; www-ws-arch@w3.org > > >>>>Subject: RE: D-AR006.11 discussion points > > >>>> > > >>>> > > >>>>i don't know if you will receive this but i'm having lots of > > >>>>e-mail problems today, i thought i answered your question in > > >>>>a different message but it sounds like it wasn't delivered. > > >>>>so here it is: > > >>>> > > >>>> > > >>>Well, here it is what? Another mail problem? ;-) > > >>>Please take your time, Ayse. > > >>>Fix you mail first; the world can wait. :-) > > >>> > > >>>Joe Hui > > >>>Exodus, a Cable & Wireless service > > >>>============================================= > > >>> > > >>> > > >>>>-----Original Message----- > > >>>>From: Joseph Hui [mailto:Joseph.Hui@exodus.net] > > >>>>Sent: Wednesday, May 08, 2002 4:41 PM > > >>>>To: Dilber, Ayse, ALASO; Christopher Ferris; www-ws-arch@w3.org > > >>>>Subject: RE: D-AR006.11 discussion points > > >>>> > > >>>> > > >>>>Ayse, > > >>>> > > >>>>Then what's your answer to my questions in [1] > > >>>>pertaining to threat characterization? > > >>>> > > >>>>I'm copying the text of the original question over > > >>>>as follows: > > >>>> > > >>>> Auditing* as a security aspect? > > >>>> Can you explain why? E.g. for starter, how would you > > >>>> characterize the threat (model) that's unique to Auditing? > > >>>> Note that the impetus for requiring each of the original > > >>>> six begins with a unique threat, or in some cases, threats. > > >>>> > > >>>>Joe Hui > > >>>>Exodus, a Cable & Wireless service > > >>>> > > >>>>PS: I wasn't interested in what auditing means in > > >>>> the conventional sense. It's obvious. > > >>>> > > >>>>[1] > > >>>> > > >>http://lists.w3.org/Archives/Member/w3c-ws-arch/2002May/0056.html > > >> > > >>>>============================================================ > > >>>> > > >>========== > > >> > > >>>>>-----Original Message----- > > >>>>>From: Dilber, Ayse, ALASO [mailto:adilber@att.com] > > >>>>>Sent: Wednesday, May 08, 2002 12:59 PM > > >>>>>To: Joseph Hui; Christopher Ferris; www-ws-arch@w3.org > > >>>>>Subject: RE: D-AR006.11 discussion points > > >>>>> > > >>>>> > > >>>>>No, I didn't back out on Auditing! I was having serious > > >>>>>e-mail problems that's why I couldn't respond. I believe > > >>>>>that the Auditing should be included! > > >>>>>Ayse > > >>>>> > > >>>>>-----Original Message----- > > >>>>>From: Joseph Hui [mailto:Joseph.Hui@exodus.net] > > >>>>>Sent: Wednesday, May 08, 2002 3:55 PM > > >>>>>To: Christopher Ferris; www-ws-arch@w3.org > > >>>>>Subject: RE: D-AR006.11 discussion points > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>>>-----Original Message----- > > >>>>>>From: Christopher Ferris [mailto:chris.ferris@sun.com] > > >>>>>>Sent: Wednesday, May 08, 2002 12:00 PM > > >>>>>>To: www-ws-arch@w3.org > > >>>>>>Subject: Re: D-AR006.11 discussion points > > >>>>>> > > >>>>>> > > >>>>>>Joe/Ayse, > > >>>>>> > > >>>>>>1) Please keep this, and all technical discussion, on > the public > > >>>>>>mailing list. > > >>>>>> > > >>>>>>2) It seems to me that Joe is suggesting that the bulleted > > >>>>>>item under D-AR006.11 that says: > > >>>>>> > > >>>>>>"There are six aspects in the security framework for Web > > >>>>>>Services architecture: Accessibility, > > >>>>>>Authentication, Authorization, Confidentiality, Integrity, > > >>>>>>and Non-repudiation. Together they form > > >>>>>>the foundation for secure Web Services. > > >>>>>> > > >>>>>> > > >>>>>The above text is NOT a requirement at all!!! > > >>>>>It doesn't even read like one. > > >>>>>It's a lite intro for D-AR006.1 thru D-AR006.6. > > >>>>>The editors inserted D-AR006.10 and D-AR006.11 in > > >>>>>the wrong place. The two should have followed D-AR009; > > >>>>>and the intro should not have been bulletized. > > >>>>>What a mess. sigh. > > >>>>> > > >>>>>D-AR006.11 text should read as follows: > > >>>>> > > >>>>> D-AR006.11 The architecture must provide an interface for > > >>>>> Web Services to directly communicate with their underlying > > >>>>> infrastructure. > > >>>>> > > >>>>> The interface is for negotiating services that an > infrastructure > > >>>>> may provide to, or perform on behalf of, requesting > Web Services. > > >>>>> Such value-added services may include: security, content > > >>>>> > > >>delivery, > > >> > > >>>>> QoS, etc. For instance, a Web service may instruct (via the > > >>>>>interface) > > >>>>> the security agents of its infrastructure to defend against > > >>>>> DOS/DDOS attacks on its behalf." > > >>>>> > > >>>>> > > >>>>> > > >>>>>>is actually a separate requirement from D-AR006.11 and should > > >>>>>>have been > > >>>>>>labeled D-AR006.12 in the document. Am I reading this > > >>>>>>correctly? If so, > > >>>>>>then this needs to be fed to the editors as a comment so > > >>>>>> > > >>>>>> > > >>>>that it is > > >>>> > > >>>> > > >>>>>>certain to be tracked (and fixed in the next editor's draft). > > >>>>>> > > >>>>>>The question I have then is whether or not Joe is accepting > > >>>>>>Ayse's request to add Auditing to this list of 6 aspects > > >>>>>>or whether he is suggesting that yet another requirement > > >>>>>>(D-AR006.13) be created to accomodate Auditing... do > any others > > >>>>>>have an opinion on this? > > >>>>>> > > >>>>>> > > >>>>>I think Ayse has already backed out on Auditing. > > >>>>>So it's no longer an issue whether I'd accept it. > > >>>>>(I wasn't inclined to accept it because there's no > > >>>>>threat model that's uniquely associated with Auditing. > > >>>>>But I wouldn't decide one way or the other without > > >>>>>hearing the case out first.) > > >>>>> > > >>>>>Whoever wants to give it another shot is welcome to > > >>>>>present his/her *reasoning and analysis*. > > >>>>> > > >>>>>Cheers, > > >>>>> > > >>>>>Joe Hui > > >>>>>Exodus, a Cable & Wireless service > > >>>>>================================================== > > >>>>> > > >>>>> > > >>>>>>Thanks, > > >>>>>> > > >>>>>>Chris > > >>>>>> > > >>>>>>Joseph Hui wrote: > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>>>>From: Dilber, Ayse, ALASO [mailto:adilber@att.com] > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>[snip] > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>>>D-AR006.11 the six aspects need to be replaced with the > > >>>>>>>>following seven aspects of the security framework: > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>Ayse, the D-AR006.11 number was taken. > > >>>>>>>You may want to re-number your proposal as D-AR006.12 instead > > >>>>>>>if you're serious about it (to be voted on or debated). > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>>>Auditing; > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>Auditing* as a security aspect? > > >>>>>>>Can you explain why? E.g. for starter, how would you > > >>>>>>>characterize the threat (model) that's unique to Auditing? > > >>>>>>>Note that the impetus for requiring each of the original > > >>>>>>>six begins with a unique threat, or in some cases, threats. > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>>>Authentication (includes identification and authorization); > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>Authc & Authz are separate sec aspects. > > >>>>>>> > > >>>>>>>Example 1: The security policy of the very system that you're > > >>>>>>>using probably includes only Authz but not Authc. To login, > > >>>>>>>you simply enter user name and password, the system checks > > >>>>>>>the password file and lets you in. You are not asked to > > >>>>>>>authenticate yourself as Ayse. BTW, password file is known > > >>>>>>>to be one form of Access Control List (ACL). > > >>>>>>> > > >>>>>>>Example 2: Alice's security policy includes Authc & Authz. > > >>>>>>>To join Alice's party, Bob must present a certificate to > > >>>>>>>Alice to authenticate himself as Bob -- Authc, AND, after > > >>>>>>>successful authc (sometimes aka positive identification), > > >>>>>>>Alice checks whether Bob is on her guest list (i.e. ACL) > > >>>>>>>before allowing him into her party. > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>>>Access Control (file permission, etc.); > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>Access Control is just a Authz means. (See example 2 above.) > > >>>>>>> > > >>>>>>>Cheers, > > >>>>>>> > > >>>>>>>Joe Hui > > >>>>>>>Exodus, a Cable & Wireless service > > >>>>>>>======================================================== > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>>>Confidentiality; > > >>>>>>>>Availability; Integrity; Non-repudiation. > > >>>>>>>>Thanks, > > >>>>>>>>Ayse > > >>>>>>>> > > >>>>>>>>-----Original Message----- > > >>>>>>>>From: Christopher Ferris [mailto:chris.ferris@sun.com] > > >>>>>>>>Sent: Saturday, May 04, 2002 10:00 AM > > >>>>>>>>To: wsawg public > > >>>>>>>>Subject: D-AR006.11 discussion points > > >>>>>>>> > > >>>>>>>> > > >>>>>>>>SUNW: This requirement goes "inside" a web service > and places > > >>>>>>>>requirements > > >>>>>>>>on how it is designed. We should be focusing on externally > > >>>>>>>> > > >>>>>>>> > > >>>>>>observable > > >>>>>> > > >>>>>> > > >>>>>>>>(through the web service interfaces) behaviour > > >>>>>>>> > > >>>>>>>>SYBS: Implementation details. Don't seem to fit in Web > > >>>>>>>>Services Architecture > > >>>>>>>>group.. > > >>>>>>>> > > >>>>>>>>W3C: See > > >>>>>>>> > > >>>>>>>> > > > >>>>>http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0015.html > > >>>>> > > >>>>> > > >>>>>>>ORCL: I don't quite see how "an architecture" can actually > > >>>>>>> > > >>>>>>> > > >>>>>provide an > > >>>>> > > >>>>> > > >>>>>>>interface. And in this case the goal may be too ambitious > > >>>>>>> > > >>>>>>> > > >>>>given the > > >>>> > > >>>> > > >>>>>>>number of different possible "infrastructures". > > >>>>>>> > > >>>>>>>PF: I just don't see the need for this. > > >>>>>>> > > >>>>>>>TIB: not clear to me that individual Web services would > > >>>>>>> > > >>>>>>> > > >>>>ever want to > > >>>> > > >>>> > > >>>>>>>know whether they were under DOS at some lower layer > > >>>>>>> > > >>>>>>>CrossWeave: Don't understand this > > >>>>>>> > > >>>>>>>CMPQ: The interface is for negotiating services that an > > >>>>>>>infrastructure may > > >>>>>>>provide to, or perform on behalf of, a requesting > Web Services. > > >>>>>>>Such value-added services may include: security, content > > >>>>>>> > > >>delivery, > > >> > > >>>>>>>QoS, etc. For instance, a Web service may instruct (via the > > >>>>>>>interface) the security > > >>>>>>>agents of its infrastructure to defend against DOS/DDOS > > >>>>>>>attacks on its behalf. > > >>>>>>> > > >>>>>>>This seems to say that the requirement is > > >>>>>>>"The security framework must provide for negotiations > > >>>>>>> > > >>>>>>> > > >>>>pertaining to > > >>>> > > >>>> > > >>>>>>>security considerations." > > >>>>>>> > > >>>>>>>That is, the requirement is for negotiation support; within > > >>>>>>>security context, > > >>>>>>>it is security negotiation, within QoS context, it is QoS > > >>>>>>>negotiation, etc. > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>> > > >> > > >> > > > > > > > > > > > >
Received on Wednesday, 8 May 2002 20:09:37 UTC