OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

regrep-security message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: OASIS Registry: Minutes

Thanks Sanjay. I recollect 2c as F.

-----Original Message-----
From: Patil, Sanjay [mailto:SPatil@iona.com]
Sent: Monday, August 27, 2001 6:31 PM
To: Damodaran, Suresh; 'regrep-security@lists.oasis-open.org';
'dennisc@nii.org.tw'; 'Michael Joya'; 'sekhar.vajjhala@Sun.COM'
Subject: OASIS Registry: Minutes

Attendees: Suresh, Farrukh, Sekhar and Sanjay

The document has the section 5 updated with priorities from our discussion.
I missed capturing priority for item 2c. I guess it was D. Please correct me
if I am wrong.


* Consensus on the idea of listing use cases for Security team
   that would drive the efforts and define the scope.
   Action Item: Sanjay to send use cases based on the Security Concerns
1a>Digital Signature can  be useful for  the content owner authentication,
     DS does not cover for sender authentication. How to solve this problem?
     Resolution: Not a critical issue for V2. 
                   Specific concern of Reply Attack ==> Priority C.

     If SO and RO are separate, will there be two signatures?
     Registry trusts RO only and checks only RO's signature. 
     Resolution: RO and SO distinction ==> Priority C 
1b>Data in transmission protection: Confidentiality:
     Should we spec it and make it mandatory? Or put it
     in the Registry Profile?  This option is to be investigated?
     Action Item:  Farrukh and Sekhar to follow

1c>Content up-to-date? Versioning will solve it. 
     This issue falls more in the purview of life cycle management
activities ==>Priority D.

1d>Bona fide publishers. Source integrity ==>  Priority A.

1e>Registry Publisher  writes content at authorized locations only ==>
Priority F

1f>NonRepudiation: Can Audit trail support be used here?
    We might have to deal with NonRepudiation and Auditing separately.
    Action Item:  Sekhar to post more details on Non Repudiation.

1g>Same as 1f

1h>Classification Integrity. Not in security sub team domain

2 a, b> Access Control for Read and Write ==> Priority A
2 c> Usage data inclusive of Audit Trail plus other information ==> Priority
2 d> Accidental access to protected data ==> Priority F

3> Access Control for ACL : Priority C
     Registry owner is super owner for V2

  a> Transfer of Credentials for Federated Registries ==> F
  b> Transfer of Credentials to Aggregators Ex. RO acting as a proxy for SO
==>Priority C
  c> Persistence of Credentials across Sessions. V2 does not plan to support
       ==> Priority F
  d> Storing Credentials to be used by sub queries ==> Implementation

5> Lot of work is to be done in the area of specing Registry infrastructure
and providing
     binding for the same ==>Priority D

Sanjay Patil
Total Business Integration (TM) 
Phone: 408 350 9619                                 http://www.iona.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC