OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

coel message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] (COEL-26) RPE security analysis suggests MMI & PQI should have seperate access creds

    [ https://issues.oasis-open.org/browse/COEL-26?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=61598#comment-61598 ] 

Joss Langford commented on COEL-26:
-----------------------------------

This is the write-up of the discussion on 12th Jan now including David’s comment.
I reviewed the sequence of use for the PQI and MMI. Although only MMI is need to set-up Operators, Consumers and Devices, it is likely that both will needed during the provision of services – often called one after the other. It seems probable that any action that leads to the disclosure of credentials will impact both even if they had separate logins. So I don’t think this is the best route forward.
The actions with the 2 documents can be classified into:
Low risk	Accept information
Medium risk	Disclosing information
High risk	Destroying information		
We have already have a concession for low risk operations to allow the transaction without credentials. I suggest the medium risk operations remain as they are and we define an additional security level that is added to high risk operations.
Low risk
   BAP: POST /atoms
   MMI: POST /service-provider/operator 
   MMI: POST /operator/consumer 
   MMI: POST /operator/device
Medium risk
   BAP: GET /home 
   PQI: POST /query 
   PQI: POST /segment 
   MMI: GET /service-provider/operators 
   MMI: POST /service-provider/consumers 
   IDA: POST /Validation 
   IDA: POST /PseudonymousKey 
   IDA: POST /PseudonymousKeyBatch 

High risk 
   MMI: POST /operator/forget 
   MMI: POST /operator/reasignDevice 
   MMI: POST /service-provider/renameOperator


> RPE security analysis suggests MMI & PQI should have seperate access creds
> --------------------------------------------------------------------------
>
>                 Key: COEL-26
>                 URL: https://issues.oasis-open.org/browse/COEL-26
>             Project: OASIS Classification of Everyday Living (COEL) TC
>          Issue Type: Bug
>            Reporter: Joss Langford
>            Assignee: Joss Langford
>




--
This message was sent by Atlassian JIRA
(v6.2.2#6258)

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]