OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsdm message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: MUWS: Capabilties Security advice, Respond if you object.



IBM would like to add some security caveats in a few capabilities:

1. Correlatable Properties:

The exposure of this information allows clients to understand the information used to uniquely identify the resource. This may allow a nefarious client to spoof the presence of the resource. This is particularly true if it is obvious how to generate or construct the resource ID from these properties.  These properties should used and exposed with this risk in mind. Protect correlateable properties as much as resourceID.


2. Relationships
There is an assumption that the resources are well behaved and creating relationships in good faith. Relationships may also be out of date. Before relationships are relied upon, they should be validated either manually or automatically. It should also be considered if the resource being related should be visible for security reasons.

We should also add this to the assumptions section:

·        The reader is familiar with WS-Security, WS-SecurityRoadmap

Heather Kreger
STSM, Web Services Lead Architect for SWG Emerging Technologies
Author of "Java and JMX: Building Manageable Systems"
kreger@us.ibm.com
919-543-3211 (t/l 441)  cell:919-496-9572



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]