[Bug 9570] New: MEX: "Security Considerations" sections vague and misleading

http://www.w3.org/Bugs/Public/show_bug.cgi?id=9570

           Summary: MEX: "Security Considerations" sections vague and
                    misleading
           Product: WS-Resource Access
           Version: LC
          Platform: PC
        OS/Version: All
            Status: ASSIGNED
          Severity: normal
          Priority: P2
         Component: MetadataExchange
        AssignedTo: gilbert.pilz@oracle.com
        ReportedBy: bob@freunds.com
         QAContact: public-ws-resource-access-notifications@w3.org


WS-Eventing, WS-Transfer, WS-MetadataExchange, and WS-Enumeration each contain
a "Security Considerations" section. These sections contain various bits of
"pious advice" that have no normative value and little to do with the protocols
to which they apply. If you understand the basics of web services security,
these sections won't teach you anything new and don't provide any insight into
the particular problems of securing their corresponding protocols. For example,
the Security Considerations section of WS-Eventing says nothing about making
sure that the sender of a Renew, GetStatus, or Unsubscribe request is the same
entity as the sender of the Subscribe request that created the subscription
that is being acted upon.

Proposal 1: remove the "Security Considerations" sections from WS-Eventing,
WS-Transfer, WS-MetadataExchange, and WS-Enumeration.

Proposal 2: rewrite the "Security Considerations" sections from WS-Eventing,
WS-Transfer, WS-MetadataExchange, and WS-Enumeration along the following
guidelines:

1. Identify the specific resources that need to be protected (e.g.
subscriptions, enumeration contexts, etc.)

2. Describe common methods for protecting these resources including, but not
limited to, the use of WS-Security and related technologies. Relate these
methods to the protocol in question.

3. Identify any special challenges posed to (2) due to the nature of the
protocols, etc.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Wednesday, 21 April 2010 12:28:55 UTC