OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

soa-rm-ra message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [soa-rm-ra] Follow-up to 7-5-08 Telecom

Ken and Danny,

while actions better be not assigned to execution context, it is NOT my point.

Ken used only one reference in RM to the executions context where the latter  is applied to "a service interaction". Here is another reference, where EC is applied to the service itself:

    551 In support of the dynamics of interacting with services are a set of concepts that are about
    552 services themselves. These are the service description, the EXECUTION CONTEXT OF THE SERVICE and
    553 the contracts and policies that relate to services and service participants.

In my original message I am saying that for the SOA service all security measures applied to the service interaction MUST apply to the service ITSELF also, to this or that degree; the SOA RA HAS to point to this, otherwise we are sending a wrong message to the community.

To achieve this consistent security view, I propose to replace words SOA-based message exchange by the words SOA-based systems in the section 5.2.7.  That is, I propose to extend security requirements onto the SOA eco-system; service interaction is an important but only a part of the SOA eco-system.

If you disagree with me, please, say this directly. Below, I am giving you a real-life example:
a fund management company accepts debit card payments via its Web portal; the portal is supported by SOA services (inside enterprise firewall), which process payments validation and store payment attributes (including debit card number, etc.) in its local databases for later settlement procedure. Currently, at least, in the UK, it is required that all payment attributes related to the card to be encrypted in certain way (in all data stores through the processing) defined by the PCI DSS standard (https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm ). This protects sensitive card information from the tempering even inside the enterprise.

Thus, security of the service body/implementation is equally important as the security of the service interaction (via its interface). I hope, you get me right this time.

-	Michael

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]