RE: Security reqs v.02

["Mark A. Hale" <mark.hale@interwoven.com>]

Bill,

I think you captured the SSO possibility I had in mind.  Part of the
reasoning comes from the protocol stack we all elude to, which looks
something like this:

	Business Processes
	BTP
	Reliable Messaging
	XML Protocol
	HTTP
	TCP/IP

User identity does belong in the business process level.  The question is
whether or not individual identity is required down the stack or is
organizational identity sufficient in some scenarios.

It is a good point about audit logs.  I agree that the initiator needs to be
logged.  This would require that BTP stay in sync with the business
processes.

	Thanks,

	Mark




> -----Original Message-----
> From: Bill Pope [mailto:bpope@bowstreet.com]
> Sent: Thursday, July 05, 2001 7:27 AM
> To: 'mark.hale@interwoven.com'
> Cc: OASIS BTP (Main List) (E-mail)
> Subject: RE: Security reqs v.02
>
>
>
> Mark,
> Thanks for the comments.  I'll update the documents and resend.
> Good catch on duration, my face is red to have missed it.  The
> temporal aspects of security is one of my areas of interest.
>
> Would you expand on your SSO point?
> What I think what you are saying is that in most cases it is not the
> user identity that we are concerned about but the organizational
> identity.  The organization will take resposibility for authenticating
> the user and determining whether that user is authorized to use the
> transactional application.  Then the application identity will be used
> within the	BTP system where ever identity, entitlement, or capability
> information is needed.
>
> That seems to be a very reasonable model.  Thinking purely from a
> security view point I would extend it to capture the identity of the
> initiating user in the audit logs.   If there are scenarios that must
> capture that identity in the logs of other actors in the BTP system
> than the identity has to be in the message set.  Otherwise it's only
> a local issue.
>
> Regards,
> =bill
>
> > -----Original Message-----
> > From: Mark A. Hale [mailto:mark.hale@interwoven.com]
> > Sent: Monday, July 02, 2001 4:46 PM
> > To: BT (main list) (E-mail)
> > Subject: RE: Security reqs v.02
> >
> >
> > Bill,
> >
> > Thanks for sending out the security material.  I have
> > comments based on your
> > documents:
> >
> > - Your list of relevant standards activities capture the
> > current state of
> > the market with respect to security in XML-based architectures.
> >
> > - A security issue omitted from your list is duration.  When are
> > participants permitted to timeout their respective tokens?  I
> > know that this
> > was talked about at some of the modeling meetings.  Perhaps
> > Alastair can
> > comment.
> >
> > - With respect to identity, I can envision a BTP network that
> > underlies an
> > identity scheme.  Imaging a user wants some work done.  In
> > turn the user's
> > application passes the request down the stack to a BTP layer that is
> > authenticated at the organizational level.  I am not sure
> > that SSO will do
> > the trick in this case.
> >
> >
> > 	Thanks,
> >
> > 	Mark
> >
> >
> >
> > > -----Original Message-----
> > > From: Bill Pope [mailto:bpope@bowstreet.com]
> > > Sent: Thursday, June 28, 2001 1:53 PM
> > > To: BT (main list) (E-mail)
> > > Subject: Security reqs v.02
> > >
> > >
> > >
> > > Find attached two documents.
> > > Draft 2 of the security issues document.
> > > Draft 1 of the external activity report.
> > >
> > > Comments are invited,
> > > =bill
> > >
> > > William Z Pope                                    Bowstreet
> > > +1 603 559 1538                           One Harbour Place
> > > bpope@bowstreet.com                 Portsmouth NH 03801 USA
> > >
> > >
> > >
> >