OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsdm message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: MUWS: Security Considerations section

IBM would like to propose the following section to replace what was section 3.3. in the old MUWS.  I don't see a security section in the new MUWS Part 1 and I think we should add one like this:

When evaluating the security requirements for resource management, it is important to delineate several aspects of Security technology;

·        Identification (not sure how to reconcile this with your use of indentity)
        §        Presentation of a  claimed identity
·        Authentication
        §        Verification of proof of asserted identity
·        Authorization
        §        The information and mechanisms to allow appropriate authorized requests to resources and deny unauthorized requests.
·        Message Integrity
        §        The protection of messages in a message exchange from unauthorized modification.
o        Data Integrity
        §        The protection of data from unauthorized modification.
·        Data confidentiality
·        Trust

A complete security model addressing the requirements listed above needs to be provided for any management deployment. Profiles for different sets of requirements will be needed to ensure interoperable deployments.

An explicit mapping to an authorization model at deploy time should be provided by a conformant management application.

To address security of messages, MUWS relies on generic Web services security mechanisms, including transport-level security [e.g. HTTP over SSL],  OASIS Web Services Security message-level security [WSS], etc.. The composition of appropriate security specifications and this specification provides a model for securing the messages exchanged during management using Web services realized by manageability endpoint implementations. The choice of concrete security mechanisms should be carried out by the implementers of the manageability endpoints ,and will need to be profiled.

Within an enterprise Management using Web services can be deployed like any other application into the existing enterprise security model. However, it should be confirmed. When managing between enterprises security will need to be developed in a adhoc, pair-wise fashion at a messaging level.

In the following sections metadata for management is defined. Whenever information related to management metadata is being relied on, it is important to understand the environment in which the metadata is being asserted.  It may be important to provide some data integrity mechanisms to protect the information from unauthorized modification. It may be important to implement a set of authorization mechanisms to provide a way of identifying under what conditions information should be shared.


Heather Kreger
STSM, Web Services Lead Architect for SWG Emerging Technologies
Author of "Java and JMX: Building Manageable Systems"
kreger@us.ibm.com
919-543-3211 (t/l 441)  cell:919-496-9572

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]