- From: Steven A. Monetti <smonetti@att.com>
- Date: Wed, 8 May 2002 19:44:53 -0400
- To: "Christopher Ferris" <chris.ferris@Sun.COM>, "Joseph Hui" <Joseph.Hui@exodus.net>
- Cc: "Dilber, Ayse, ALASO" <adilber@att.com>, <www-ws-arch@w3.org>
Chris, i agree. Joe, I'd view security primitives as encryption, digital sig, digest, key managemnt, etc. In that context, i'm not able to identify a primitive that applies to auditing/event logging. But, from this perspective what would be a primitive for security policy? Steve ----- Original Message ----- From: "Christopher Ferris" <chris.ferris@sun.com> To: "Joseph Hui" <Joseph.Hui@exodus.net> Cc: "Dilber, Ayse, ALASO" <adilber@att.com>; <www-ws-arch@w3.org> Sent: Wednesday, May 08, 2002 6:49 PM Subject: Re: D-AR006.11 discussion points > Joe, > > What is a "security primitive" per se? My understanding of > security is based on the premise of risks and balanced > countermeasures based on the level of risk assessed > for each resource. I have never heard of a "security > primitive" before so I have no idea how to respond > to your question. > > IMO, auditing as a service *might* be something we > consider as an important aspect of web services > security. Or, we might conclude that in terms of priority > that other countermeasure technologies should be considered > ahead of auditing. But that's beside the point. > > The six "facets" you cite are in fact (IMHO) merely six > countermeasures which comprise but a subset of the > total arsenal of countermeasures that might be applied > to mitigate a risk. Auditing is another, equally valid, > countermeasure that is (or should be!) often employed > within the fabric of a secure environment. There are > other non-technical (and IMHO, far more important) > countermeasures (management comes to mind, without which > all the glitzy technicological countermeasures one > can imagine can be rendered useless overhead) that could > also be included in the list. > > Why is it that you are so adamantly opposed to its (Auditing) > inclusion in this list? A number of others have chimed in suggesting > that its inclusion would be "a good thing(tm)". Would you > be willing to live with its inclusion? > > Cheers, > > Chris > > > > Joseph Hui wrote: > > >>From: Christopher Ferris [mailto:chris.ferris@sun.com] > >>Sent: Wednesday, May 08, 2002 2:25 PM > >>To: Joseph Hui > >>Cc: Dilber, Ayse, ALASO; www-ws-arch@w3.org > >>Subject: Re: D-AR006.11 discussion points > >> > >> > >>Joe, > >> > >>As with AuthN and AuthZ, it is a countermeasure used > >>to mitigate a security threat(s) such as when AuthN and > >>AuthZ have been (somehow) circumvented. It is also > >>useful to protect against abuse of privileges that > >>may have been granted. > >> > > > > Chris, > > > > I'm well aware of the benefits of auditing -- nuts and > > bolts and trimmings; and what auditing may mean in various > > contexts. (Exodus is a well established vendor of Security > > Audit services, albeit Ayse's notion of Auditing is more > > like logging and our products cover far more than that.) > > > > However, I wouldn't elevate it to a "security aspect/facet" > > equal to the original six commonly known to security experts. > > The experts no doubt know what Auditing can mean in the > > context of security, but wouldn't group it in the company > > of the original six for sure. > > > > Can you think of a security primitive that does Auditing? > > > > Cheers, > > > > Joe Hui > > Exodus, a Cable & Wireless service > > ================================================= > > > > > > > > > >>Cheers, > >> > >>Chris-sans-chapeau > >> > >>Joseph Hui wrote: > >> > >> > >>>>-----Original Message----- > >>>>From: Dilber, Ayse, ALASO [mailto:adilber@att.com] > >>>>Sent: Wednesday, May 08, 2002 2:02 PM > >>>>To: Joseph Hui; Christopher Ferris; www-ws-arch@w3.org > >>>>Subject: RE: D-AR006.11 discussion points > >>>> > >>>> > >>>>i don't know if you will receive this but i'm having lots of > >>>>e-mail problems today, i thought i answered your question in > >>>>a different message but it sounds like it wasn't delivered. > >>>>so here it is: > >>>> > >>>> > >>>Well, here it is what? Another mail problem? ;-) > >>>Please take your time, Ayse. > >>>Fix you mail first; the world can wait. :-) > >>> > >>>Joe Hui > >>>Exodus, a Cable & Wireless service > >>>============================================= > >>> > >>> > >>>>-----Original Message----- > >>>>From: Joseph Hui [mailto:Joseph.Hui@exodus.net] > >>>>Sent: Wednesday, May 08, 2002 4:41 PM > >>>>To: Dilber, Ayse, ALASO; Christopher Ferris; www-ws-arch@w3.org > >>>>Subject: RE: D-AR006.11 discussion points > >>>> > >>>> > >>>>Ayse, > >>>> > >>>>Then what's your answer to my questions in [1] > >>>>pertaining to threat characterization? > >>>> > >>>>I'm copying the text of the original question over > >>>>as follows: > >>>> > >>>> Auditing* as a security aspect? > >>>> Can you explain why? E.g. for starter, how would you > >>>> characterize the threat (model) that's unique to Auditing? > >>>> Note that the impetus for requiring each of the original > >>>> six begins with a unique threat, or in some cases, threats. > >>>> > >>>>Joe Hui > >>>>Exodus, a Cable & Wireless service > >>>> > >>>>PS: I wasn't interested in what auditing means in > >>>> the conventional sense. It's obvious. > >>>> > >>>>[1] > >>>> > >>http://lists.w3.org/Archives/Member/w3c-ws-arch/2002May/0056.html > >> > >>>>============================================================ > >>>> > >>========== > >> > >>>>>-----Original Message----- > >>>>>From: Dilber, Ayse, ALASO [mailto:adilber@att.com] > >>>>>Sent: Wednesday, May 08, 2002 12:59 PM > >>>>>To: Joseph Hui; Christopher Ferris; www-ws-arch@w3.org > >>>>>Subject: RE: D-AR006.11 discussion points > >>>>> > >>>>> > >>>>>No, I didn't back out on Auditing! I was having serious > >>>>>e-mail problems that's why I couldn't respond. I believe > >>>>>that the Auditing should be included! > >>>>>Ayse > >>>>> > >>>>>-----Original Message----- > >>>>>From: Joseph Hui [mailto:Joseph.Hui@exodus.net] > >>>>>Sent: Wednesday, May 08, 2002 3:55 PM > >>>>>To: Christopher Ferris; www-ws-arch@w3.org > >>>>>Subject: RE: D-AR006.11 discussion points > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>-----Original Message----- > >>>>>>From: Christopher Ferris [mailto:chris.ferris@sun.com] > >>>>>>Sent: Wednesday, May 08, 2002 12:00 PM > >>>>>>To: www-ws-arch@w3.org > >>>>>>Subject: Re: D-AR006.11 discussion points > >>>>>> > >>>>>> > >>>>>>Joe/Ayse, > >>>>>> > >>>>>>1) Please keep this, and all technical discussion, on the public > >>>>>>mailing list. > >>>>>> > >>>>>>2) It seems to me that Joe is suggesting that the bulleted > >>>>>>item under D-AR006.11 that says: > >>>>>> > >>>>>>"There are six aspects in the security framework for Web > >>>>>>Services architecture: Accessibility, > >>>>>>Authentication, Authorization, Confidentiality, Integrity, > >>>>>>and Non-repudiation. Together they form > >>>>>>the foundation for secure Web Services. > >>>>>> > >>>>>> > >>>>>The above text is NOT a requirement at all!!! > >>>>>It doesn't even read like one. > >>>>>It's a lite intro for D-AR006.1 thru D-AR006.6. > >>>>>The editors inserted D-AR006.10 and D-AR006.11 in > >>>>>the wrong place. The two should have followed D-AR009; > >>>>>and the intro should not have been bulletized. > >>>>>What a mess. sigh. > >>>>> > >>>>>D-AR006.11 text should read as follows: > >>>>> > >>>>> D-AR006.11 The architecture must provide an interface for > >>>>> Web Services to directly communicate with their underlying > >>>>> infrastructure. > >>>>> > >>>>> The interface is for negotiating services that an infrastructure > >>>>> may provide to, or perform on behalf of, requesting Web Services. > >>>>> Such value-added services may include: security, content > >>>>> > >>delivery, > >> > >>>>> QoS, etc. For instance, a Web service may instruct (via the > >>>>>interface) > >>>>> the security agents of its infrastructure to defend against > >>>>> DOS/DDOS attacks on its behalf." > >>>>> > >>>>> > >>>>> > >>>>>>is actually a separate requirement from D-AR006.11 and should > >>>>>>have been > >>>>>>labeled D-AR006.12 in the document. Am I reading this > >>>>>>correctly? If so, > >>>>>>then this needs to be fed to the editors as a comment so > >>>>>> > >>>>>> > >>>>that it is > >>>> > >>>> > >>>>>>certain to be tracked (and fixed in the next editor's draft). > >>>>>> > >>>>>>The question I have then is whether or not Joe is accepting > >>>>>>Ayse's request to add Auditing to this list of 6 aspects > >>>>>>or whether he is suggesting that yet another requirement > >>>>>>(D-AR006.13) be created to accomodate Auditing... do any others > >>>>>>have an opinion on this? > >>>>>> > >>>>>> > >>>>>I think Ayse has already backed out on Auditing. > >>>>>So it's no longer an issue whether I'd accept it. > >>>>>(I wasn't inclined to accept it because there's no > >>>>>threat model that's uniquely associated with Auditing. > >>>>>But I wouldn't decide one way or the other without > >>>>>hearing the case out first.) > >>>>> > >>>>>Whoever wants to give it another shot is welcome to > >>>>>present his/her *reasoning and analysis*. > >>>>> > >>>>>Cheers, > >>>>> > >>>>>Joe Hui > >>>>>Exodus, a Cable & Wireless service > >>>>>================================================== > >>>>> > >>>>> > >>>>>>Thanks, > >>>>>> > >>>>>>Chris > >>>>>> > >>>>>>Joseph Hui wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>From: Dilber, Ayse, ALASO [mailto:adilber@att.com] > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>[snip] > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>>D-AR006.11 the six aspects need to be replaced with the > >>>>>>>>following seven aspects of the security framework: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>Ayse, the D-AR006.11 number was taken. > >>>>>>>You may want to re-number your proposal as D-AR006.12 instead > >>>>>>>if you're serious about it (to be voted on or debated). > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>>Auditing; > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>Auditing* as a security aspect? > >>>>>>>Can you explain why? E.g. for starter, how would you > >>>>>>>characterize the threat (model) that's unique to Auditing? > >>>>>>>Note that the impetus for requiring each of the original > >>>>>>>six begins with a unique threat, or in some cases, threats. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>>Authentication (includes identification and authorization); > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>Authc & Authz are separate sec aspects. > >>>>>>> > >>>>>>>Example 1: The security policy of the very system that you're > >>>>>>>using probably includes only Authz but not Authc. To login, > >>>>>>>you simply enter user name and password, the system checks > >>>>>>>the password file and lets you in. You are not asked to > >>>>>>>authenticate yourself as Ayse. BTW, password file is known > >>>>>>>to be one form of Access Control List (ACL). > >>>>>>> > >>>>>>>Example 2: Alice's security policy includes Authc & Authz. > >>>>>>>To join Alice's party, Bob must present a certificate to > >>>>>>>Alice to authenticate himself as Bob -- Authc, AND, after > >>>>>>>successful authc (sometimes aka positive identification), > >>>>>>>Alice checks whether Bob is on her guest list (i.e. ACL) > >>>>>>>before allowing him into her party. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>>Access Control (file permission, etc.); > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>Access Control is just a Authz means. (See example 2 above.) > >>>>>>> > >>>>>>>Cheers, > >>>>>>> > >>>>>>>Joe Hui > >>>>>>>Exodus, a Cable & Wireless service > >>>>>>>======================================================== > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>>Confidentiality; > >>>>>>>>Availability; Integrity; Non-repudiation. > >>>>>>>>Thanks, > >>>>>>>>Ayse > >>>>>>>> > >>>>>>>>-----Original Message----- > >>>>>>>>From: Christopher Ferris [mailto:chris.ferris@sun.com] > >>>>>>>>Sent: Saturday, May 04, 2002 10:00 AM > >>>>>>>>To: wsawg public > >>>>>>>>Subject: D-AR006.11 discussion points > >>>>>>>> > >>>>>>>> > >>>>>>>>SUNW: This requirement goes "inside" a web service and places > >>>>>>>>requirements > >>>>>>>>on how it is designed. We should be focusing on externally > >>>>>>>> > >>>>>>>> > >>>>>>observable > >>>>>> > >>>>>> > >>>>>>>>(through the web service interfaces) behaviour > >>>>>>>> > >>>>>>>>SYBS: Implementation details. Don't seem to fit in Web > >>>>>>>>Services Architecture > >>>>>>>>group.. > >>>>>>>> > >>>>>>>>W3C: See > >>>>>>>> > >>>>>>>> > >>>>>http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0015.html > >>>>> > >>>>> > >>>>>>>ORCL: I don't quite see how "an architecture" can actually > >>>>>>> > >>>>>>> > >>>>>provide an > >>>>> > >>>>> > >>>>>>>interface. And in this case the goal may be too ambitious > >>>>>>> > >>>>>>> > >>>>given the > >>>> > >>>> > >>>>>>>number of different possible "infrastructures". > >>>>>>> > >>>>>>>PF: I just don't see the need for this. > >>>>>>> > >>>>>>>TIB: not clear to me that individual Web services would > >>>>>>> > >>>>>>> > >>>>ever want to > >>>> > >>>> > >>>>>>>know whether they were under DOS at some lower layer > >>>>>>> > >>>>>>>CrossWeave: Don't understand this > >>>>>>> > >>>>>>>CMPQ: The interface is for negotiating services that an > >>>>>>>infrastructure may > >>>>>>>provide to, or perform on behalf of, a requesting Web Services. > >>>>>>>Such value-added services may include: security, content > >>>>>>> > >>delivery, > >> > >>>>>>>QoS, etc. For instance, a Web service may instruct (via the > >>>>>>>interface) the security > >>>>>>>agents of its infrastructure to defend against DOS/DDOS > >>>>>>>attacks on its behalf. > >>>>>>> > >>>>>>>This seems to say that the requirement is > >>>>>>>"The security framework must provide for negotiations > >>>>>>> > >>>>>>> > >>>>pertaining to > >>>> > >>>> > >>>>>>>security considerations." > >>>>>>> > >>>>>>>That is, the requirement is for negotiation support; within > >>>>>>>security context, > >>>>>>>it is security negotiation, within QoS context, it is QoS > >>>>>>>negotiation, etc. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>> > >> > >> > > > > >
Received on Wednesday, 8 May 2002 20:10:35 UTC