RE: Security reqs v.02

[Bill Pope <bpope@bowstreet.com>]

Mark,
Thanks for the comments.  I'll update the documents and resend.
Good catch on duration, my face is red to have missed it.  The
temporal aspects of security is one of my areas of interest.

Would you expand on your SSO point?  
What I think what you are saying is that in most cases it is not the 
user identity that we are concerned about but the organizational 
identity.  The organization will take resposibility for authenticating 
the user and determining whether that user is authorized to use the 
transactional application.  Then the application identity will be used 
within the	BTP system where ever identity, entitlement, or capability 
information is needed.

That seems to be a very reasonable model.  Thinking purely from a
security view point I would extend it to capture the identity of the
initiating user in the audit logs.   If there are scenarios that must
capture that identity in the logs of other actors in the BTP system
than the identity has to be in the message set.  Otherwise it's only
a local issue.

Regards,
=bill

> -----Original Message-----
> From: Mark A. Hale [mailto:mark.hale@interwoven.com]
> Sent: Monday, July 02, 2001 4:46 PM
> To: BT (main list) (E-mail)
> Subject: RE: Security reqs v.02
> 
> 
> Bill,
> 
> Thanks for sending out the security material.  I have 
> comments based on your
> documents:
> 
> - Your list of relevant standards activities capture the 
> current state of
> the market with respect to security in XML-based architectures.
> 
> - A security issue omitted from your list is duration.  When are
> participants permitted to timeout their respective tokens?  I 
> know that this
> was talked about at some of the modeling meetings.  Perhaps 
> Alastair can
> comment.
> 
> - With respect to identity, I can envision a BTP network that 
> underlies an
> identity scheme.  Imaging a user wants some work done.  In 
> turn the user's
> application passes the request down the stack to a BTP layer that is
> authenticated at the organizational level.  I am not sure 
> that SSO will do
> the trick in this case.
> 
> 
> 	Thanks,
> 
> 	Mark
> 
> 
> 
> > -----Original Message-----
> > From: Bill Pope [mailto:bpope@bowstreet.com]
> > Sent: Thursday, June 28, 2001 1:53 PM
> > To: BT (main list) (E-mail)
> > Subject: Security reqs v.02
> >
> >
> >
> > Find attached two documents.
> > Draft 2 of the security issues document.
> > Draft 1 of the external activity report.
> >
> > Comments are invited,
> > =bill
> >
> > William Z Pope                                    Bowstreet
> > +1 603 559 1538                           One Harbour Place
> > bpope@bowstreet.com                 Portsmouth NH 03801 USA
> >
> >
> >
>