IRC log of ws-arch2 on 2002-06-14

Timestamps are in UTC.

07:20:40 [RRSAgent]
RRSAgent has joined #ws-arch2
07:21:33 [GlenD]
GlenD has joined #ws-arch2
07:23:16 [soliton]
soliton has joined #ws-arch2
07:23:39 [omh]
omh has joined #ws-arch2
07:24:16 [shishir]
shishir has joined #ws-arch2
07:26:32 [soliton]
what are our topics?
07:26:41 [GlenD]
07:32:21 [joe]
joe has joined #WS-ARCH2
07:32:39 [shishir]
work in subgroups on <>
07:32:53 [chris]
07:33:17 [GlenD]
That's the glossary w/definiton of "integrity" we're using
07:34:08 [GlenD]
1. Hop to hop
07:34:11 [GlenD]
2. End to end
07:35:57 [GlenD]
Posit that we have nodes and arcs - each interation is two nodes across a single arc
07:36:14 [GlenD]
"end to end" service integrity is about securing the arcs
07:36:22 [GlenD]
consider that first
07:36:35 [GlenD]
Then get into the fact that the nodes must be considered as well
07:37:48 [GlenD]
07:37:51 [GlenD]
07:38:03 [soliton]
we can consider a public-witness model for integrity
07:41:11 [soliton]
are we trying to offer solution here or just locate the problems?
07:42:00 [soliton]
I guess we can classify into: a) one to one 2) one to many
07:42:10 [GlenD]
Where are places in the use-case that bring in integrity issues?
07:42:59 [omh]
omh has joined #ws-arch2
07:43:01 [soliton]
first of all, we need data normalization
07:43:12 [GlenD]
1. Travel agent books flight - make sure that the correct flight gets booked
07:46:10 [GlenD]
Travel agent needs complete view of data
07:46:17 [GlenD]
other parties need their own views
07:46:25 [soliton]
ok, data normalization model can be in next phase
07:46:40 [GlenD]
First approx - "bits originated at point A must be reproduced at point B exactly"
07:46:56 [soliton]
different views can be classified into access control
07:47:02 [soliton]
are we doing access control?
07:47:18 [omh]
don' think so...
07:47:43 [GlenD]
SCENARIO : Evil Intermediary Changes Flight Times
07:48:05 [GlenD]
Travel agent sends "book a Saturday 1PM flight" to airline A
07:48:20 [GlenD]
Evil intermediary changes doc en route to say "Sunday 4AM flight"
07:48:49 [GlenD]
(could easily see your own biz doing this to ensure saturday night stays....)
07:49:06 [GlenD]
Airline A is able to see that the data was tampered with and fails
07:49:17 [GlenD]
(perhaps alerting the net.cops)
07:49:52 [GlenD]
07:50:21 [soliton]
well, public key-private key solution will do
07:50:41 [GlenD]
OK, so we must have a trusted keystore
07:51:22 [soliton]
symmetry key solution also works, although
07:51:36 [GlenD]
symmetry key == secure channel?
07:51:45 [soliton]
very much
07:51:56 [GlenD]
So if I trust the pipe, I trust the integrity of the data that passes over it
07:52:13 [GlenD]
So there are two levels here - channel security and message security
07:52:13 [soliton]
pre-arranged shared key
07:52:22 [GlenD]
If I have a trusted channel, I'm ok
07:52:32 [GlenD]
If not, I have to trust each message individually
07:53:05 [GlenD]
So this doesn't require particularly web-service-specific technology
07:57:16 [soliton]
the web services specific issues would be to estabilish the
07:57:22 [soliton]
trust between services
07:58:59 [GlenD]
Joe describes the fact that integrity via hash comparisions != encryption
07:59:06 [GlenD]
Therefore we can separate the issues
07:59:34 [GlenD]
Therefore in this case "trusted channel" == channel which periodically hashes the data and allows both ends to check integrity
07:59:42 [soliton]
but you still need to way to pass the hash
07:59:51 [GlenD]
08:00:48 [soliton]
question is, would ssl be sufficient?
08:01:06 [GlenD]
08:01:10 [soliton]
since ssl is already a web facility
08:01:46 [soliton]
so our mission is to ensure web services does not violate ssl
08:02:39 [joe]
The hash is embedded in the data packet.
08:03:25 [soliton]
can anyone post of url of the svg?
08:04:17 [GlenD]
<SCENARIO name="Evil Travel Agent">
08:04:42 [GlenD]
Customer sends travel agent some information about flights/times/etc
08:05:25 [GlenD]
Travel agent, either intentionally (evil) or not (mistake) alters the info
08:05:34 [GlenD]
Then they pass it on to an airline or hotel
08:05:53 [GlenD]
08:06:40 [soliton]
this looks like business
08:06:57 [soliton]
since the travel agent is trusted service
08:07:10 [soliton]
it has to be responsible for its own actions
08:07:29 [GlenD]
Well, yes, but your third-party suggestion from before would work
08:07:44 [GlenD]
I.e. both customer and airline/hotel notarize the data
08:07:58 [GlenD]
So there's another channel (not via the TA) for confirmation
08:08:10 [GlenD]
Can we do it without the third party?
08:08:10 [soliton]
but the airline needs to know where the end customers are
08:10:05 [omh]
does this mean the location of the customer or the identity of the customer?
08:10:31 [soliton]
the public signature of the customer
08:10:56 [soliton]
or the airline needs to share a secure channel to the customer as well
08:11:12 [omh]
yep thats what I thought..
08:11:19 [soliton]
I guess there are two scenarios here
08:11:36 [soliton]
one is that the airline does all the work on behalf of the customer
08:11:54 [soliton]
sorry, I mean agent
08:12:24 [soliton]
the other scenario is that the agent does the initial connection, then the
08:12:34 [soliton]
airline talks directly to the customer
08:13:14 [soliton]
but actually, the agent is already a third party to the airline and customer
08:14:38 [soliton]
I guess the issue here is that we should not interface with the business
08:17:05 [GlenD]
There are business problems and technical problems here
08:17:11 [GlenD]
We need to deal in the technical space
08:17:27 [GlenD]
But there are certainly technical ways to help deal with business problems
08:22:06 [GlenD]
"referee" model
08:22:20 [GlenD]
I want to use an agent to talk to third parties for me
08:22:32 [GlenD]
I don't necessarily trust the agent 100%
08:23:06 [shishir]
Not only is it a good way to maintain data integrity, but it also idiot proofs the system to some extent :)
08:23:06 [GlenD]
So I put in a reference to a "referee" (which is hashed/secured) in the request
08:23:21 [GlenD]
All transactions before committing MUST go through the referee
08:23:39 [GlenD]
slows things down, but ensures the "rules" are followed correctly to all parties' satisfaction
08:23:53 [soliton]
maybe we should think hard about what issues are web services specific issues
08:24:13 [omh]
omh has joined #ws-arch2
08:24:18 [GlenD]
Getting a message from one point to another without tampering
08:24:20 [soliton]
actually, the soap extension you mentioned can be one
08:27:27 [GlenD]
To solve these scenarios, we ask:
08:27:39 [GlenD]
1) Do we have existing infrastructure to solve these problems?
08:28:21 [GlenD]
2) What extensions can we add at the WS layer to solve things if not?
08:33:24 [GlenD]
3) Is the problem a technical one or a business one? Where's the line?
08:34:14 [GlenD]
* How do you express required technology and policy statements
08:36:07 [RRSAgent]
08:37:18 [soliton]
08:37:32 [soliton]
RRSAgent, bookmark
08:37:32 [RRSAgent]
08:37:38 [soliton]
RRSAgent, help
09:03:16 [chris]
chris has joined #ws-arch2
09:04:20 [GlenD]
We discussed:
09:04:20 [GlenD]
Scenarios - two, one where the integrity issue is in the arc, and one where it's potentially in a node
09:04:20 [GlenD]
within the graph of interacting parties.
09:04:20 [GlenD]
Difference between business and technical issues
09:04:22 [GlenD]
Using pre-existing technical solutions
09:04:24 [GlenD]
Some solutions are at the infrastructure layer and others need to be layered on top (smooth spectrum)
09:04:29 [GlenD]
Two broad sets of solutions:
09:04:31 [GlenD]
1. involve a third party (notaries and referees)
09:04:33 [GlenD]
2. rely on two-party technical solutions (end to end) (ssl, xml dsig, hashing)
09:04:33 [GlenD]
Agreeing on and descibing policies and technologies to be used
09:05:38 [GlenD]
There may be cases where you need the WHOLE bitstream to be safe, and other cases where it's only particular subsets
09:14:02 [chris]
rrsagent, where am i?
09:14:02 [RRSAgent]
09:38:22 [omh]
omh has left #ws-arch2
12:01:49 [chris]
chris has joined #ws-arch2