- From: Mark Baker <distobj@acm.org>
- Date: Wed, 8 May 2002 21:29:46 -0400
- To: Christopher Ferris <chris.ferris@sun.com>
- Cc: www-ws-arch@w3.org
On Wed, May 08, 2002 at 04:38:12PM -0400, Christopher Ferris wrote: > by all means, please do so. Security is one of the areas where currently deployed standards could do with some beefing up. Consider my request a place holder for some of the other "areas" which already have mostly complete solutions in use today, such as Reliability. But I will go through the provisionally accepted D-AG004 requirements/CSFs to point out how Web architecture and the Web addresses each one (or not); AC006.1 - no documented threat model, just an implicit one AC006.4 - has a security framework, on a per resource basis (more below) D-AR006.2.1 - per resource authentication, as realized in HTTP authentication (which is extensible; e.g. basic, digest) D-AR006.2.2 - "data authentication" via content signing, ala multipart/signed D-AR006.3 - authorization implemented behind authentication interface. Different models can be supported behind this single interface, but no identified need to interop at any deeper level (e.g. sharing ACLs) D-AR006.4 - confidentiality via multipart/encrypted or TLS, as two examples D-AR006.5 - data integrity via headers such as Content-MD5 D-AR006.6 - non-repudiation via multipart/encrypted MB -- Mark Baker, Chief Science Officer, Planetfred, Inc. Ottawa, Ontario, CANADA. mbaker@planetfred.com http://www.markbaker.ca http://www.planetfred.com
Received on Wednesday, 8 May 2002 21:22:05 UTC