[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [wsrp][security] agenda for 5/8 telecon
Based on discussion from last week, I've started to compile a list of possible requirements categorized according to our focus areas. I've also added Access Control as a focus area since it seemed from our last telecon that we may have some requirements to support in that arena. I'd like to use this meeting to walk through this list, get feedback on whether this is a reasonable way to articulate security requirements, and add any new requirements identified during the discussion. Sorry for the late message and missing minutes from last week; my work schedule has kept me from putting in cycles on this. Logistics: Time: Wednesday, 5/8; 8:00 a.m. PST(11:00 a.m. EST, 5:00 p.m. CET) U.S. Phone: 877.450.3529 International phone: +1.706.679.6653 Conference Code: 4254672722 Trust relationship between portal and portlet: 1. should be possible to use a secure transport for portal/portlet communication 2. should be means for portlet to authenticate the portal when a service request is made - authentication could be protocol-based(i.e. http/basic, ssl/certificate) - auth could be document-based(i.e. digitally signed) 3. should be a means of describing in the portlet's metadata whether a secure transport is required and what the authentication method is 4. should be a key exchange mechanism for signed documents End user identity and personal data-related: 1. Portlet should be able to require that the portal authenticate the end user 2. It should be possible for the portlet to describe the level of end-user authentication required 3. It should be possible for the portal to communicate how it authenticated the end user to the portlet 4. It should be possible to for the portal to pass end-user-related credentials in a secure manner to the portlet in a service request 5. The portlet should have a means of describing in it's metadata how it wants to credentials to be secured 6. It should be possible for the portal to pass end user personal data to the portlet in a secure manner. 7. The portlet should have a means of describing in it's metadata how it wants personal data to be secured Secure Transmission of data: 1. should be possible to use a secure transport for portal/portlet communication 2. should be possible to use document encryption to secure data exchange between portal and portlet Access Control: 1. does there need to be support for differentiation of access based on actions that are intended for end-user invocation versus administrator invocation?
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC