[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wsn] Issue Verification BaseN 1.0j Issue 2.6: Third partysubscriber can be a security concern
I would like to see a little more harmonization between the top and bottom halves of this section. Would there be any problem with bringing a reworked version in as part of public review, provided that the substance was the same and only the organization changed? I'm concerned that there is some overlap since the two parts were pasted together from separate sources. Peter Niblett wrote: >Tom > >There is some more text that appears at the end of section 7.2... > > In addition to the usual concerns of authorization and message integrity > which apply to all web services, notification presents issues all its > own due to the third-party nature of subscription. Since the > NotificationProducer is agreeing to produce Notifications for a consumer > based on the requests of a Subscriber, it must assure itself that there > is no harm in producing these Notifications. A malicious Subscriber may > request Notifications be sent to a party that is not authorized to > receive them. It may also mount DOS attacks by requesting large volumes > of Notifications be sent to parties that cannot handle them. > > The NotificationProducer may address these risks in many different ways, > including but not limited to: > > · Simply trusting all Subscribers, perhaps because all parties are > known to be on a closed, trusted, network, or because the consequences > of unauthorized Subscriptions are otherwise known to be negligible. > · Requiring all Subscribers to provide secure credentials proving that > they are trusted to make subscriptions. > · Refusing to produce notifications for NotificationConsumers that are > not known to be authorized. > · Explicitly confirming with NotificationConsumers whether they wish to > receive the Notifications that the Subscriber has requested. > · Some combination of the above, depending on the identity of the > Subscriber and NotificationProducer > >This is explicitly about the risks that arise from the third-party nature >of subscriptions, and I think it does address issue 2.6 and is in keeping >with the agreed approach. > >Peter Niblett >I > > > > Tom Maguire > <tmaguire@us.ibm. > com> To > <wsn@lists.oasis-open.org> > 28/06/2005 02:36 cc > > Subject > [wsn] Issue Verification BaseN 1.0j > Issue 2.6: Third party subscriber > can be a security concern > > > > > > > > > > >Agreed Approach: Describe the additional security risks imposed by the >third party nature of the suscripion mechanism in the Security >Considerations section. Provide examples of how such risks may be averted. > > It should be noted that even though Subscriptions may be done by > authorized principals, the Notifications may be delivered to > NotificationConsumers whose identity may be different from the > Subscriber. Message protection policies as outlined in the previous > section can be used to ensure that sensitive Notifications are not > delivered to malicious endpoints. For example, a key may need to be > specified or generated during the process of Subscription, so that the > Notifications can be encrypted using the key to ensure confidentiality > of the messages. The mechanism by which the key is specified is governed > by the Subscription policy. > > >While there is a brief description of 3rd party security considerations it >does not seem to in the spirit of the agreed approach. > >Tom > > >Frey’s Law: “Every 5 years the number of architecture components double and >the ability to comprehend them halves” > > >Perfection is achieved, not when there is nothing more to add, but when >there is nothing left to take away. – Antoine de Saint-Exupery > > >T o m M a g u i r e > > >STSM, On Demand Architecture > > >Poughkeepsie, NY 12601 >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]