OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

regrep-security message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: OASIS Registry: Minutes



Attendees: Suresh, Farrukh, Sekhar and Sanjay

The document has the section 5 updated with priorities from our discussion.
I missed capturing priority for item 2c. I guess it was D. Please correct me
if I am wrong.

 <<ebXML-Registry-SecurityRisks1.doc>> 

Minutes:
* Consensus on the idea of listing use cases for Security team
   that would drive the efforts and define the scope.
   Action Item: Sanjay to send use cases based on the Security Concerns
                      section 
1a>Digital Signature can  be useful for  the content owner authentication,
but
     DS does not cover for sender authentication. How to solve this problem?
     Resolution: Not a critical issue for V2. 
                   Specific concern of Reply Attack ==> Priority C.

     If SO and RO are separate, will there be two signatures?
     Registry trusts RO only and checks only RO's signature. 
     Resolution: RO and SO distinction ==> Priority C 
1b>Data in transmission protection: Confidentiality:
     Should we spec it and make it mandatory? Or put it
     in the Registry Profile?  This option is to be investigated?
     Action Item:  Farrukh and Sekhar to follow

1c>Content up-to-date? Versioning will solve it. 
     This issue falls more in the purview of life cycle management
activities ==>Priority D.

1d>Bona fide publishers. Source integrity ==>  Priority A.

1e>Registry Publisher  writes content at authorized locations only ==>
Priority F

1f>NonRepudiation: Can Audit trail support be used here?
    We might have to deal with NonRepudiation and Auditing separately.
    Action Item:  Sekhar to post more details on Non Repudiation.

1g>Same as 1f

1h>Classification Integrity. Not in security sub team domain

2 a, b> Access Control for Read and Write ==> Priority A
2 c> Usage data inclusive of Audit Trail plus other information ==> Priority
D
2 d> Accidental access to protected data ==> Priority F

3> Access Control for ACL : Priority C
     Registry owner is super owner for V2

4> 
  a> Transfer of Credentials for Federated Registries ==> F
  b> Transfer of Credentials to Aggregators Ex. RO acting as a proxy for SO
==>Priority C
  c> Persistence of Credentials across Sessions. V2 does not plan to support
Sessions.
       ==> Priority F
  d> Storing Credentials to be used by sub queries ==> Implementation
specific. 


5> Lot of work is to be done in the area of specing Registry infrastructure
and providing
     binding for the same ==>Priority D

thanks,
Sanjay Patil
----------------------------------------------------------------------------
------------------------------
IONA
Total Business Integration (TM) 
Phone: 408 350 9619                                 http://www.iona.com

ebXML-Registry-SecurityRisks1.doc



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC