RE: Requirements 4.11 Security from Dale Moberg on 2002-04-10 (www-ws-desc@w3.org from April 2002)

From: Dale Moberg <dmoberg@cyclonecommerce.com>
Date: Wed, 10 Apr 2002 08:53:57 -0700
To: <www-ws-desc@w3.org>
Message-ID: <9551E76040A2604BBD331F3024BFEA48EF60B5@SEMINOLEVS2.cyclonecommerce.com>

There are only two requirements falling under two security topics.
The topics are 1. security considerations for web services 
and  2. security considerations for trusting
WSDL descriptions of web services.

R084 Compliance must not preclude building implementations that are
resistant
to attacks.

I hope no one would object to that constraint! If compliance precluded
building
attack resistant services, we are in trouble. 

However, attacks can be of many types. DOS attacks are always possible 
on listening connections. I doubt anyone
wants to stretch this requirement to mean that listening 
on a port is not allowed. 

More generally, there are a lot of issues under topic 1 that
might need more discussion:
Should more positive support for security
of web services be described? Should there be bindings
or binding subtypes that are labeled as less subject to risks
from common threats? Should there be a security risk assessment
subsection in the document? Or in a separate document? Should 
details involved in a web services usage agreement be documented
in bindings? And so on. 


R088 Document best practices for signing WSDL documents.

I think this requirement probably needs to be sharpened up.
I would propose that it be restated to say:

The specification MUST document how a WSDL document can
be signed, using XMLDsig, so that a potential 
user of the WSDL document can establish trust 
in the information conveyed about the web service 
(at "configuration" time, not service invocation time.)
Recommendations about when signatures should be
provided (when publishing to a registry, for example)
should be made in a security information section. 

I would recommend that this requirement be accepted
as reworded. There are still several detailed issues
(should the signature be inside a WSDL document,
should it be in a separate document and use a XMLDsig
Reference to point to the signed document(s)) that are
left open to be resolved later. Partly this is because
I am unclear from current discussions
how the "modularity" of WSDL is going
to translate into variations in physical document 
partition of information.

Received on Wednesday, 10 April 2002 11:54:34 UTC