RE: AC006.1: Threat model [..] for Web service endpoints and thei r communication from Ahmed, Zahid on 2002-05-03 (www-ws-arch@w3.org from May 2002)

From: Ahmed, Zahid <zahid.ahmed@commerceone.com>
Date: Thu, 2 May 2002 18:06:27 -0700
To: www-ws-arch@w3.org
Message-ID: <C1E0143CD365A445A4417083BF6F42CC02F89094@C1plenaexm07.commerceone.com>

>>What about security in say a registry of services?
>If the registry manifests itself as a web service endpoint,
>>then it's covered.


This may not be completely true.

The security problem ___domain of a web service enabled 
Registry may be different than the general web 
services applications. 

I guess for now it is satisfactory to assume that
such types of web services application security model 
is partially defined as part of its own ___domain (e.g.,
UDDI Regsitry Security Reqmnts, ebXML Registry Security
Reqmnts, where a range of security assurance, data 
protection and privacy requirements have been identified). 


Zahid Ahmed

 


-----Original Message-----
From: Joseph Hui [mailto:jhui@digisle.net]
Sent: Thursday, May 02, 2002 5:47 PM
To: Hugo Haas; www-ws-arch@w3.org
Subject: RE: AC006.1: Threat model [..] for Web service endpoints and
their communication


> -----Original Message-----
> From: Hugo Haas [mailto:hugo@w3.org]
> Sent: Thursday, May 02, 2002 12:13 PM
> To: www-ws-arch@w3.org
> Subject: AC006.1: Threat model [..] for Web service endpoints 
> and their
> communication
> 
> 
> AC006.1 reads:
> 
> | AC006.1 The construction of a Web Services Threat Model based on
> | thorough analysis of existing and foreseeable threats to Web service
> | endpoints and their communication.
> 
> Is the threat model consideration is limited to endpoints and their
> communication? 

Pretty much so.  (You may want to refer to the WS Threat Model I
wrote in a previous msg prior to the F2F.  I didn't get around to finish
it, but the gist is there.)

> What is the implication of this?

The world will have well secured web services, along with fresh air
and clean water, mom and apple pie, ...  :-).

> What about security in say a registry of services?

If the registry manifests itself as a web service endpoint,
then it's covered.

Cheers,

Joe Hui
Exodus, a Cable & Wireless service
===============================================================
> 
> Regards,
> 
> Hugo
> 
> -- 
> Hugo Haas - W3C
> mailto:hugo@w3.org - http://www.w3.org/People/Hugo/ - 
> tel:+1-617-452-2092
> 
>

Received on Thursday, 2 May 2002 21:06:41 UTC