Uploaded image for project: 'OASIS Open Data Protocol (OData) TC'
  1. OASIS Open Data Protocol (OData) TC
  2. ODATA-380

Insert a section in protocol (and similar in JSON and ATOM) named 'Security Considerations' (before 'Conformance')

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: V4.0_CSD01
    • Fix Version/s: V4.0_CSD02
    • Component/s: ATOM Format, JSON Format, Protocol
    • Labels:
      None
    • Environment:

      [Applied]

    • Proposal:
      Hide

      Insert a section in protocol (and similar in JSON and ATOM) named "Security Considerations" before the conformance section. With content like:
      """
      The specifications that this work product consists of do raise no security issues.

      This section is provided as a service to the application developers, information providers, and users of Open Data version 4.0 giving some references to starting points for securing the Open Data services as specified. Open Data is a REST-full multi-format service that depends on other services and thus inherits both sides of the coin, security enhancements and concerns alike from the latter.

      For HTTP relevant security implications please cf. the relevant sections of [[RFC2616]] (15 Security Considerations) and for the HTTP PATCH method [[RFC5789]] (5. Security Considerations) as starting points.
      """

      The last paragraph for ATOM Format work product:

      """
      For ATOM relevant security implications please cf. the relevant sections of [[RFC4287]] (8. Security Considerations), [[RFC5023]] (15. Security Considerations) and for the deleted-entry element: [[RFC6721]] (7. Security Considerations) as starting points.
      """

      Whereas the last paragraph in that section for JSON Format should read:

      """
      For JSON relevant security implications please cf. at least the relevant subsections of [[RFC4627]] (hidden inside 6. IANA Considerations) as starting point.
      """

      Accepted:https://www.oasis-open.org/committees/download.php/49212/odata-meeting-37_on-20130516-minutes.html#odata-380

      Show
      Insert a section in protocol (and similar in JSON and ATOM) named "Security Considerations" before the conformance section. With content like: """ The specifications that this work product consists of do raise no security issues. This section is provided as a service to the application developers, information providers, and users of Open Data version 4.0 giving some references to starting points for securing the Open Data services as specified. Open Data is a REST-full multi-format service that depends on other services and thus inherits both sides of the coin, security enhancements and concerns alike from the latter. For HTTP relevant security implications please cf. the relevant sections of [ [RFC2616] ] (15 Security Considerations) and for the HTTP PATCH method [ [RFC5789] ] (5. Security Considerations) as starting points. """ The last paragraph for ATOM Format work product: """ For ATOM relevant security implications please cf. the relevant sections of [ [RFC4287] ] (8. Security Considerations), [ [RFC5023] ] (15. Security Considerations) and for the deleted-entry element: [ [RFC6721] ] (7. Security Considerations) as starting points. """ Whereas the last paragraph in that section for JSON Format should read: """ For JSON relevant security implications please cf. at least the relevant subsections of [ [RFC4627] ] (hidden inside 6. IANA Considerations) as starting point. """ Accepted: https://www.oasis-open.org/committees/download.php/49212/odata-meeting-37_on-20130516-minutes.html#odata-380
    • Resolution:
      Hide

      https://www.oasis-open.org/committees/download.php/49275/odata-v4.0-wd02-part1-protocol-2013-05-21.docx

      https://www.oasis-open.org/committees/download.php/49273/odata-atom-format-v4.0-wd02-2013-05-21.docx

      https://www.oasis-open.org/committees/download.php/49274/odata-json-format-v4.0-wd02-2013-05-21.docx

      Accepted: https://www.oasis-open.org/committees/download.php/49557/odata-meeting-41_on-20130613_14-F2F-minutes.html#odata-380

      Show
      https://www.oasis-open.org/committees/download.php/49275/odata-v4.0-wd02-part1-protocol-2013-05-21.docx https://www.oasis-open.org/committees/download.php/49273/odata-atom-format-v4.0-wd02-2013-05-21.docx https://www.oasis-open.org/committees/download.php/49274/odata-json-format-v4.0-wd02-2013-05-21.docx Accepted: https://www.oasis-open.org/committees/download.php/49557/odata-meeting-41_on-20130613_14-F2F-minutes.html#odata-380

      Description

      We have some spurious overlaps with security considerations but are remarkably silent about it as a whole, when considereing, that we suggest opening up the silos of data. Although we rely on other protocols that handle transport and security, we should follow the role model of IETF in enforcing a security considerations section in each I-D. It should be quite cheap as we can refer to the security considerations of the underlying protocols (HTTP has some elaboratesubsections on this)
      This started from discussions and comments on ODATA-301 but to the reporter also seems like a very natural, reasonable and "expected" thing to be provided by the TC and inside the work products.

        Attachments

          Activity

            People

            • Assignee:
              sdrees Stefan Hagen
              Reporter:
              sdrees Stefan Hagen
            • Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: