IRC log of ws-arch2 on 2002-06-14

Timestamps are in UTC.

07:20:40 [RRSAgent]

RRSAgent has joined #ws-arch2

07:21:33 [GlenD]

GlenD has joined #ws-arch2

07:23:16 [soliton]

soliton has joined #ws-arch2

07:23:39 [omh]

omh has joined #ws-arch2

07:24:16 [shishir]

shishir has joined #ws-arch2

07:26:32 [soliton]

what are our topics?

07:26:41 [GlenD]

Integrity

07:32:21 [joe]

joe has joined #WS-ARCH2

07:32:39 [shishir]

work in subgroups on <http://www.w3.org/2002/06/ws-example.html>

07:32:53 [chris]

http://www.w3.org/2002/ws/arch/2/06/wd-wsa-gloss-20020605.html

07:33:17 [GlenD]

That's the glossary w/definiton of "integrity" we're using

07:34:08 [GlenD]

1. Hop to hop

07:34:11 [GlenD]

2. End to end

07:35:57 [GlenD]

Posit that we have nodes and arcs - each interation is two nodes across a single arc

07:36:14 [GlenD]

"end to end" service integrity is about securing the arcs

07:36:22 [GlenD]

consider that first

07:36:35 [GlenD]

Then get into the fact that the nodes must be considered as well

07:37:48 [GlenD]

SERVICE TO SERVICE INTEGRITY

07:37:51 [GlenD]

--

07:38:03 [soliton]

we can consider a public-witness model for integrity

07:41:11 [soliton]

are we trying to offer solution here or just locate the problems?

07:42:00 [soliton]

I guess we can classify into: a) one to one 2) one to many

07:42:10 [GlenD]

Where are places in the use-case that bring in integrity issues?

07:42:59 [omh]

omh has joined #ws-arch2

07:43:01 [soliton]

first of all, we need data normalization

07:43:12 [GlenD]

1. Travel agent books flight - make sure that the correct flight gets booked

07:46:10 [GlenD]

Travel agent needs complete view of data

07:46:17 [GlenD]

other parties need their own views

07:46:25 [soliton]

ok, data normalization model can be in next phase

07:46:40 [GlenD]

First approx - "bits originated at point A must be reproduced at point B exactly"

07:46:56 [soliton]

different views can be classified into access control

07:47:02 [soliton]

are we doing access control?

07:47:18 [omh]

don' think so...

07:47:43 [GlenD]

SCENARIO : Evil Intermediary Changes Flight Times

07:48:05 [GlenD]

Travel agent sends "book a Saturday 1PM flight" to airline A

07:48:20 [GlenD]

Evil intermediary changes doc en route to say "Sunday 4AM flight"

07:48:49 [GlenD]

(could easily see your own biz doing this to ensure saturday night stays....)

07:49:06 [GlenD]

Airline A is able to see that the data was tampered with and fails

07:49:17 [GlenD]

(perhaps alerting the net.cops)

07:49:52 [GlenD]

</SCENARIO>

07:50:21 [soliton]

well, public key-private key solution will do

07:50:41 [GlenD]

OK, so we must have a trusted keystore

07:51:22 [soliton]

symmetry key solution also works, although

07:51:36 [GlenD]

symmetry key == secure channel?

07:51:45 [soliton]

very much

07:51:56 [GlenD]

So if I trust the pipe, I trust the integrity of the data that passes over it

07:52:13 [GlenD]

So there are two levels here - channel security and message security

07:52:13 [soliton]

pre-arranged shared key

07:52:22 [GlenD]

If I have a trusted channel, I'm ok

07:52:32 [GlenD]

If not, I have to trust each message individually

07:53:05 [GlenD]

So this doesn't require particularly web-service-specific technology

07:57:16 [soliton]

the web services specific issues would be to estabilish the

07:57:22 [soliton]

trust between services

07:58:59 [GlenD]

Joe describes the fact that integrity via hash comparisions != encryption

07:59:06 [GlenD]

Therefore we can separate the issues

07:59:34 [GlenD]

Therefore in this case "trusted channel" == channel which periodically hashes the data and allows both ends to check integrity

07:59:42 [soliton]

but you still need to way to pass the hash

07:59:51 [GlenD]

yup

08:00:48 [soliton]

question is, would ssl be sufficient?

08:01:06 [GlenD]

yup

08:01:10 [soliton]

since ssl is already a web facility

08:01:46 [soliton]

so our mission is to ensure web services does not violate ssl

08:02:39 [joe]

The hash is embedded in the data packet.

08:03:25 [soliton]

can anyone post of url of the svg?

08:04:17 [GlenD]

<SCENARIO name="Evil Travel Agent">

08:04:42 [GlenD]

Customer sends travel agent some information about flights/times/etc

08:05:25 [GlenD]

Travel agent, either intentionally (evil) or not (mistake) alters the info

08:05:34 [GlenD]

Then they pass it on to an airline or hotel

08:05:53 [GlenD]

</SCENARIO>

08:06:40 [soliton]

this looks like business

08:06:57 [soliton]

since the travel agent is trusted service

08:07:10 [soliton]

it has to be responsible for its own actions

08:07:29 [GlenD]

Well, yes, but your third-party suggestion from before would work

08:07:44 [GlenD]

I.e. both customer and airline/hotel notarize the data

08:07:58 [GlenD]

So there's another channel (not via the TA) for confirmation

08:08:10 [GlenD]

Can we do it without the third party?

08:08:10 [soliton]

but the airline needs to know where the end customers are

08:10:05 [omh]

does this mean the location of the customer or the identity of the customer?

08:10:31 [soliton]

the public signature of the customer

08:10:56 [soliton]

or the airline needs to share a secure channel to the customer as well

08:11:12 [omh]

yep thats what I thought..

08:11:19 [soliton]

I guess there are two scenarios here

08:11:36 [soliton]

one is that the airline does all the work on behalf of the customer

08:11:54 [soliton]

sorry, I mean agent

08:12:24 [soliton]

the other scenario is that the agent does the initial connection, then the

08:12:34 [soliton]

airline talks directly to the customer

08:13:14 [soliton]

but actually, the agent is already a third party to the airline and customer

08:14:38 [soliton]

I guess the issue here is that we should not interface with the business

08:17:05 [GlenD]

There are business problems and technical problems here

08:17:11 [GlenD]

We need to deal in the technical space

08:17:27 [GlenD]

But there are certainly technical ways to help deal with business problems

08:22:06 [GlenD]

"referee" model

08:22:20 [GlenD]

I want to use an agent to talk to third parties for me

08:22:32 [GlenD]

I don't necessarily trust the agent 100%

08:23:06 [shishir]

Not only is it a good way to maintain data integrity, but it also idiot proofs the system to some extent :)

08:23:06 [GlenD]

So I put in a reference to a "referee" (which is hashed/secured) in the request

08:23:21 [GlenD]

All transactions before committing MUST go through the referee

08:23:39 [GlenD]

slows things down, but ensures the "rules" are followed correctly to all parties' satisfaction

08:23:53 [soliton]

maybe we should think hard about what issues are web services specific issues

08:24:13 [omh]

omh has joined #ws-arch2

08:24:18 [GlenD]

Getting a message from one point to another without tampering

08:24:20 [soliton]

actually, the soap extension you mentioned can be one

08:27:27 [GlenD]

To solve these scenarios, we ask:

08:27:39 [GlenD]

1) Do we have existing infrastructure to solve these problems?

08:28:21 [GlenD]

2) What extensions can we add at the WS layer to solve things if not?

08:33:24 [GlenD]

3) Is the problem a technical one or a business one? Where's the line?

08:34:14 [GlenD]

* How do you express required technology and policy statements

08:36:07 [RRSAgent]

See http://www.w3.org/2002/06/14-ws-arch2-irc#T08-34-14

08:37:18 [soliton]

bookmark

08:37:32 [soliton]

RRSAgent, bookmark

08:37:32 [RRSAgent]

See http://www.w3.org/2002/06/14-ws-arch2-irc#T08-37-32

08:37:38 [soliton]

RRSAgent, help

09:03:16 [chris]

chris has joined #ws-arch2

09:04:20 [GlenD]

We discussed:

09:04:20 [GlenD]

Scenarios - two, one where the integrity issue is in the arc, and one where it's potentially in a node

09:04:20 [GlenD]

within the graph of interacting parties.

09:04:20 [GlenD]

Difference between business and technical issues

09:04:22 [GlenD]

Using pre-existing technical solutions

09:04:24 [GlenD]

Some solutions are at the infrastructure layer and others need to be layered on top (smooth spectrum)

09:04:29 [GlenD]

Two broad sets of solutions:

09:04:31 [GlenD]

1. involve a third party (notaries and referees)

09:04:33 [GlenD]

2. rely on two-party technical solutions (end to end) (ssl, xml dsig, hashing)

09:04:33 [GlenD]

Agreeing on and descibing policies and technologies to be used

09:05:38 [GlenD]

There may be cases where you need the WHOLE bitstream to be safe, and other cases where it's only particular subsets

09:14:02 [chris]

rrsagent, where am i?

09:14:02 [RRSAgent]

See http://www.w3.org/2002/06/14-ws-arch2-irc#T09-14-02

09:38:22 [omh]

omh has left #ws-arch2

12:01:49 [chris]

chris has joined #ws-arch2