regrep-security message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: Thoughts on Registry Security
- From: "Damodaran, Suresh" <Suresh_Damodaran@stercomm.com>
- To: "'regrep-security@lists.oasis-open.org'"<regrep-security@lists.oasis-open.org>,"'sekhar.vajjhala@Sun.COM'" <sekhar.vajjhala@Sun.COM>
- Date: Mon, 27 Aug 2001 11:28:14 -0500
Title: RE: ebXML Security subteam
Here
are some rough thoughts - tell me what you think.
Sanjay
and Farrukh, I am much thankful for your earlier comments
on the
topic.
From a
broad perspective, making sure that the registry has
contents that are trustworthy is important whether the
registry
is an
embedded application, or is used only by apps within the same
firewall,
or is
accessible to anyone with an internet connection. There are
various
ingredients that go into this. It appears to me that
the same use case,
such
as accessing a registry may have different security
requirements
based
on the actor. The distinction on which of the above registry
uses
to
target first, essentially boils down to which use case and which
actors
are
relatively more important to us. For example, is a Registry
Guest
an
important actor from the point of view of Registry? Should a Registry
Guest
publish in the registry? We have not outlined the
security needs per use case or actors
Some
broader near term issues:
1.
Authorized access to registry content is essential in any case. Aligning with
XACML is an
issue.
2.
Using digital signature for source integrity is important if registry is
accessible
from
anywhere. DS is also useful for message digests for nonrepudiation. Data
integrity
and
confidentiality are more important in the "public registry"
case.
3.
Securing the dynamic data - only special actors can create these? If so what is
the requirement
on security?
Regards,
-Suresh
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC