This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 8273 - All: "Security Considerations" sections vague and misleading
Summary: All: "Security Considerations" sections vague and misleading
Status: CLOSED WONTFIX
Alias: None
Product: WS-Resource Access
Classification: Unclassified
Component: All (show other bugs)
Version: LC
Hardware: All All
: P2 normal
Target Milestone: ---
Assignee: notifications mailing list for WS Resource Access
QA Contact: notifications mailing list for WS Resource Access
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-13 06:09 UTC by Gilbert Pilz
Modified: 2015-06-20 16:35 UTC (History)
0 users

See Also:

Attachments
from gil (22.61 KB, application/vnd.oasis.opendocument.text)
2010-03-30 20:31 UTC, Doug Davis 		Details
from gil (58.83 KB, application/.pdf)
2010-03-30 20:32 UTC, Doug Davis 		Details
version 3 of WS-Eventing security section (22.70 KB, application/vnd.oasis.opendocument.text)
2010-04-02 17:37 UTC, Gilbert Pilz 		Details
change-bar version 3 of WS-Eventing security section (59.62 KB, application/pdf)
2010-04-02 17:39 UTC, Gilbert Pilz 		Details
v1 of WS-Enumeration security section (22.07 KB, application/vnd.oasis.opendocument.text)
2010-04-02 17:39 UTC, Gilbert Pilz 		Details
PDF v1 of WS-Enumeration security section (60.79 KB, application/pdf)
2010-04-02 17:40 UTC, Gilbert Pilz 		Details

Description Gilbert Pilz 2009-11-13 06:09:37 UTC 
WS-Eventing, WS-Transfer, WS-MetadataExchange, and WS-Enumeration each contain a "Security Considerations" section. These sections contain various bits of "pious advice" that have no normative value and little to do with the protocols to which they apply. If you understand the basics of web services security, these sections won't teach you anything new and don't provide any insight into the particular problems of securing their corresponding protocols. For example, the Security Considerations section of WS-Eventing says nothing about making sure that the sender of a Renew, GetStatus, or Unsubscribe request is the same entity as the sender of the Subscribe request that created the subscription that is being acted upon.

Proposal 1: remove the "Security Considerations" sections from WS-Eventing, WS-Transfer, WS-MetadataExchange, and WS-Enumeration.

Proposal 2: rewrite the "Security Considerations" sections from WS-Eventing, WS-Transfer, WS-MetadataExchange, and WS-Enumeration along the following guidelines:

1. Identify the specific resources that need to be protected (e.g. subscriptions, enumeration contexts, etc.)

2. Describe common methods for protecting these resources including, but not limited to, the use of WS-Security and related technologies. Relate these methods to the protocol in question.

3. Identify any special challenges posed to (2) due to the nature of the protocols, etc.
Comment 1 Robert Freund 2009-11-17 10:58:15 UTC 
Notes that a security considerations section is required
Comment 2 Doug Davis 2010-03-30 20:31:54 UTC 
Created attachment 848 [details]
from gil
Comment 3 Doug Davis 2010-03-30 20:32:19 UTC 
Created attachment 849 [details]
from gil
Comment 4 Gilbert Pilz 2010-04-02 17:37:54 UTC 
Created attachment 851 [details]
version 3 of WS-Eventing security section

Editorial changes from v2.
Comment 5 Gilbert Pilz 2010-04-02 17:39:01 UTC 
Created attachment 852 [details]
change-bar version 3 of WS-Eventing security section
Comment 6 Gilbert Pilz 2010-04-02 17:39:35 UTC 
Created attachment 853 [details]
v1 of WS-Enumeration security section
Comment 7 Gilbert Pilz 2010-04-02 17:40:08 UTC 
Created attachment 854 [details]
PDF v1 of WS-Enumeration security section
Comment 8 Robert Freund 2010-04-21 12:36:06 UTC 
divided into one issue per spec
new issues are
9567 - Eventing
9568 - Enumeration
9569 - Transfer
9570 - Mex
Comment 9 Jackie 2015-06-20 16:34:18 UTC 
Please make my changes
Comment 10 Jackie 2015-06-20 16:35:07 UTC 
Please make my changes