[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: OASIS Registry: Minutes
Attendees: Suresh, Farrukh, Sekhar and Sanjay The document has the section 5 updated with priorities from our discussion. I missed capturing priority for item 2c. I guess it was D. Please correct me if I am wrong. <<ebXML-Registry-SecurityRisks1.doc>> Minutes: * Consensus on the idea of listing use cases for Security team that would drive the efforts and define the scope. Action Item: Sanjay to send use cases based on the Security Concerns section 1a>Digital Signature can be useful for the content owner authentication, but DS does not cover for sender authentication. How to solve this problem? Resolution: Not a critical issue for V2. Specific concern of Reply Attack ==> Priority C. If SO and RO are separate, will there be two signatures? Registry trusts RO only and checks only RO's signature. Resolution: RO and SO distinction ==> Priority C 1b>Data in transmission protection: Confidentiality: Should we spec it and make it mandatory? Or put it in the Registry Profile? This option is to be investigated? Action Item: Farrukh and Sekhar to follow 1c>Content up-to-date? Versioning will solve it. This issue falls more in the purview of life cycle management activities ==>Priority D. 1d>Bona fide publishers. Source integrity ==> Priority A. 1e>Registry Publisher writes content at authorized locations only ==> Priority F 1f>NonRepudiation: Can Audit trail support be used here? We might have to deal with NonRepudiation and Auditing separately. Action Item: Sekhar to post more details on Non Repudiation. 1g>Same as 1f 1h>Classification Integrity. Not in security sub team domain 2 a, b> Access Control for Read and Write ==> Priority A 2 c> Usage data inclusive of Audit Trail plus other information ==> Priority D 2 d> Accidental access to protected data ==> Priority F 3> Access Control for ACL : Priority C Registry owner is super owner for V2 4> a> Transfer of Credentials for Federated Registries ==> F b> Transfer of Credentials to Aggregators Ex. RO acting as a proxy for SO ==>Priority C c> Persistence of Credentials across Sessions. V2 does not plan to support Sessions. ==> Priority F d> Storing Credentials to be used by sub queries ==> Implementation specific. 5> Lot of work is to be done in the area of specing Registry infrastructure and providing binding for the same ==>Priority D thanks, Sanjay Patil ---------------------------------------------------------------------------- ------------------------------ IONA Total Business Integration (TM) Phone: 408 350 9619 http://www.iona.com
ebXML-Registry-SecurityRisks1.doc
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC