--- GLUE-2.0-security~ 2008-11-05 10:25:37.000000000 +0100 +++ GLUE-2.0-security 2008-11-20 15:55:44.000000000 +0100 @@ -1,6 +1,7 @@ -This version 0.2: +This version 0.3: v0.1 initial version v0.2 with changes from Maarten. + v0.3 with changes from Stephen. @@ -15,8 +16,9 @@ implementations. Nonetheless, some points are independent of which concrete data model is employed so some discussion is appropriate. -When deploying an information system conforming to GLUE 2.0 conceptual -model, consideration should be given to the points discussed below. +When deploying an information service conforming to the GLUE 2.0 +conceptual model, consideration should be given to the points +discussed below. 9.1 Communication security @@ -42,11 +44,11 @@ 9.1.2 Data integrity. The information within GLUE has many potential uses, from operational -to accounting. How accurate is the information may depend on many -factors, including the software agents that publish data and the -transport used to propagate information. +to accounting. How accurate the information is may depend on many +factors, including the integrity software agents that publish data and +the transport used to propagate information. -The software used to provide an information system may cache GLUE +The software used to provide an information service may cache GLUE information. If so, these caches provide additional points where data integrity may be compromised. @@ -67,7 +69,7 @@ 9.2 Non-repudiation -GLUE conceptual model contains no explicit description of the +The GLUE conceptual model contains no explicit description of the publishing agents that provide GLUE information. This prevents explicitly support for non-repudiation. In many cases a set of publishing agents will provide information for Services in some @@ -92,9 +94,9 @@ 9.3 System security -GLUE conceptual model intended use is to provide an abstract view of a -grid system. There are many processes that may make use of this -information, each may depend on GLUE conceptual model to undertake +The GLUE conceptual model intended use is to provide an abstract view +of a grid system. There are many processes that may make use of this +information, each may depend on the GLUE conceptual model to undertake work. @@ -103,8 +105,8 @@ The GLUE conceptual model has no explicit description of end-users of the schema information and no explicit description of authorized usage. In general, is assumed that any authorization controls for -access to GLUE information is provided by specific concrete bindings -and software implementation. +access to the GLUE information is provided by specific concrete +bindings and software implementation. It may be possible to identify a UserDomain with those agents authorised to use GLUE information and embed authorization information @@ -115,9 +117,9 @@ 9.3.2 Inappropriate Usage The GLUE conceptual model provides no mechanism for describing -appropriate usage. GLUE conceptual model does not include a -data-processing model, so providing a description of inappropriate -usage is considered out-of-scope. +appropriate usage and does not include a data-processing model, so +providing a description of inappropriate usage is considered +out-of-scope. Individual grids may describe what they consider appropriate usage of GLUE information and implement appropriate procedures to ensure this @@ -140,14 +142,19 @@ 9.4.2 Replay -Grid operations may depend on information provided in GLUE conceptual -model. A replay attack would revert part (possible all) of the -information in the conceptual model to some previous state as seen by -some (possible all) end users. +Grid operations may depend on information provided in the GLUE +conceptual model. + +If a system implementing the GLUE 2.0 conceptual model is susceptible +to a replay attack then it is possible for part (possibly all) of the +information in the conceptial model to be reverted to some previous +state as seen by some (possible all) end users. Please note that this +is a specific case of the more general modification attack. A replay attack may result in disrupted service. If security -attributes, such as authorization, are embedded within GLUE conceptual -model then a replay attack may result in inappropriate access to data. +attributes, such as authorization, are embedded within the GLUE +conceptual model then a replay attack may result in inappropriate +access to data. Underlying concrete models and software implementations should prevent replay attacks. @@ -173,7 +180,7 @@ 9.4.4 Deletion -The ability to delete information from an information system could +The ability to delete information from an information service could interfere with normal operations; for example, if Services are removed then activity that would use those services may be affected; if AdminDomains are removed then normal operation procedures may be @@ -188,16 +195,19 @@ 9.4.5 Modification -The ability to modify information is key to providing accurate -information. However, concrete data models and software -implementation should limit agents so their ability to modify -information is limited and appropriate. +The ability for an agent to modify information stored in an +information service is key to providing accurate information. +However, concrete data models and software implementation should place +limits on agents so the agent's ability to modify information is +controlled and appropriate. 9.4.6 Man-in-the-middle. -Man-in-the-middle attacks may allow arbitrary modification of data -within the GLUE conceptual model. This may have severe influence on +For a system implementing the GLUE 2.0 information mode, a successful +man-in-the-middle attack may lead to arbitrary modification of data +(see 9.4.5). It may also allow deleting existing data (see 9.4.4) or +adding additional data (see 9.4.3). This may have severe influence on the systems based on GLUE information. Underlying concrete models and implementing software should understand @@ -211,6 +221,7 @@ operation of systems. Perhaps, the most obvious is to prevent or corrupt the flow of information. -Systems using GLUE conceptual model should understand the risk from -lack of information. Appropriate measures should be taken to ensure -the systems continue to run to the extent possible. +Systems using the GLUE conceptual model should understand the +consequences of a partial or complete lack of information. +Appropriate measures should be taken to ensure the systems continue to +run to the extent possible.