[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [wsrp][security] R401
I would suggest rewording R401 to: The specification MUST define how secure transport MAY be used for communications between portal and portlet. A related requirement should then also be included: The specification MUST define how document security standards MAY be used for messages between portal and portlet. "Cassidy, Mark" <mcassidy@Netegri To: "'wsrp@lists.oasis-open.org'" <wsrp@lists.oasis-open.org> ty.com> cc: Subject: [wsrp][security] Agenda for 6/5 telecon 06/04/2002 07:53 PM I've begun to take the security requirements we have documented to date and map to current standards. Using the numbering scheme assigned by Carsten, I've started with the first couple requirements and updated the language used as well as begun to capture content that would go into the spec chapter. In the process, I've identified a number of issues/questions that I'd like to focus tomrrow's telecon on. Below is outline and discussion points behind the first two requirements. Time: 8:00 a.m. PST(11:00 a.m. EST, 5:00 p.m. CET) Reservationless-Plus Toll Free Dial-In Number: 877.450.3529 Reservationless-Plus International Dial-In Number: +1.706.679.6653 Conference Code: 4254674195 ************************** Chapter 5 Security Preamble key points: - WSRP is exposed to many of the same security issues that today's web services-based systems are susceptible to. It is the goal within WSRP to leverage existing standards efforts focusing on web services security as much as possible, and to identify solutions that provide the broadest possible interoperability based on widely used infrastructure components. - Reference to existing documents discussing of security issues/threats - WSRP context for security issues: o Trust between portal and portlet(authentication) o Handling of end user identity and personal information(authentication and confidentiality) o Secure transmission of data(confidentiality) o Access control(policy) - Discussion of transport-based and document-based approaches to addressing security issues - Pointers to relevant standards which WSRP will aim to leverage Spec details behind requirements: Number Type Description Comment R401 MUST The specification MUST support the use of secure transport for communications between portal and portlet Use of transport-level security is optional. Applicable standards widely in use: SSL/TLS. This mechanism supports both confidentiality and authentication requirements. (reference to standards documentation) Supporting Metadata: - Transport security(none, HTTP over SSL/TLS; others as identified) o SSL/TLS has an additional attribute: - SSL/TLS (no certificate), or - SSL/TLS with client certificate Question: - SSL/TLS sits a couple layers below WSRP in the protocol stack. Maximum interoperability will be achieved by using SOAP/HTTP/(SSL/TLS). What protocol binding is required in the service metadata to indicate the use of HTTP/(SSL/TLS) stack beneath the SOAP layer? Question: should both parties(portal and portlet) have a say in the transport mechanism used? Or does the service simply declare how the portal should talk to it and from there the portal is required to conform to that requirement? Question: - Should metadata support an 'supported but optional' scenario(versus supported/required) for secure transport? Question: - Should transport security be scoped to all portal/portlet exchanges(from bind step through remaining registration lifecycle), or does WSRP need to support more fine-grained selection of transport security? Number Type Description Comment R402 MUST The specification must support the ability for a portlet to authenticate a portal. A portlet service may authenticate service requests from portals, but is not required to do so. Transport or document-based approaches may be used for authentication. Applicable standards for transport-based authentication that are widely in use are: - http/basic - client certificate in conjunction with SSL/TLS. (reference standards documentation for these) XML-Signature is the primary document-based mechanism to consider for authenticating a service request. (reference to the w3c xmldsig documentation) Supporting metadata: - Authentication method(none, http/basic, SSL/TLS certificate, signature; add others as required) Issue: there are no metadata standards for describing signature mechanisms; signatures themselves as defined by XML-Signature carry a number of elements describing how they are computed/validated(canonicalization method, digest method, transforms, key information). Should we replicate these elements from XML-Signature in the portlet's metadata in order to describe how a portal should sign a service request? Issue: what are the elements in the service request that should be signed? ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC