OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsdm message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wsdm] [UPlat] Action items for next weeks meeting - security

Hello,

This has been posted in pieces already.  Thanks to Igor for the 
Management Need update.


[UPlat] Security.

Definition(s)
-------------

Information/Computer Security. There are many ways to categorize
information security, but the most common today is represented by the
letters C, I, A:  Confidentiality, Integrity, and Authentication.
Additional concepts that can be arguably kept separate are:  Access
Control, Nonrepudiation, Availability, and Privacy.

Confidentiality.  Preventing unauthorized entities from accessing
information or resources.

Integrity.  Making sure that when authorized entities access
information, it is either not changed or any changes are detectable.

Authentication.  Making sure that entities are who/what they claim to be.

Access Control.  Making sure that entities can only access services,
resources, or information that they are authorized for.

Nonrepudiation.  Making sure the sender of a message can not deny having
sent the message.

Availability.  Making sure a service or resource can be accessed by
authorized users.  While this goes beyond security, security is expected
to address denial of service attacks.

Privacy.  Making sure that information on entities is used only for the
express purposes allowed.

Management Need
---------------------------

Resources have to be manageable in a secure way (see definition of security). Security is composable on top of the manageability exposed via Web services, similar to securing any other capability of a resource exposed via a Web service. For example, access to a manageability operation can be granted to only clients that present "manager's identity" in a request message.

Security must be manageable, preferably via Web services. For example, identity or access assertion can be verified by issuing a request to a security Web service.


-- 

John DeCarlo, The MITRE Corporation, My Views Are My Own
email:      jdecarlo@mitre.org
voice:      703-883-7116
fax:        703-883-3383
DISA cube:  703-882-0593

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]