It is
now convential to refer to this requirement (encryption) as "confidentiality"
rather than "privacy". The reason is that privacy is normally used to indicate
the variety of concerns and mechanisms required to assure individual's
security.
Many
security mechanisms, e.g. encryption, access control may have privacy as one of
its motivations, but privacy requirements may also involve unique requirements
and technologies.
I
believe we have already identified confidentiality as a requirement which
addresses your concerns.
Hal
Hi Heather,
(I'm
catching up with wsdm email...)
Should we call out "privacy" along with
authentication and authorization. Essentially, privacy is the encrypted
wrapping of message payloads. While access to data is controlled by
authentication and authorization, privacy minimizes the possibility that
sensitive information can be sniffed and seen by unauthorized individuals
having a promiscuous interface on a shared network segment.
Examples of
sensitive data are bank account or credit card numbers, medical information
about a patient, or the password for a user.
Some data should not be
transmitted to authenticated and authorized individuals unless it is
encrypted.
Regards,
Mark
Heather Kreger wrote:
Per our call today, I'm starting this email thread to discuss and
ensure that WSDL described interactions with manageable resources (which
are WS-Resources) are sufficiently secure.
Which leads to the
follow-on question: Do manageable resources have any additional requirements
on security than any other Web service? i.e. authentication,
authorization, etc.
Heather Kreger STSM, Web Services Lead
Architect for SWG Emerging Technologies Author of "Java and JMX: Building
Manageable Systems" kreger@us.ibm.com 919-543-3211 (t/l
441) cell:919-496-9572
|