Suggested OPES Requirements for Integrity, Privacy and Security

Attached are some preliminary ideas on what may be useful requirements
related to data integrity and privacy in OPES.  It's a first draft just to
stimulate ideas.  I've tried to include everything I could think of rather
than trying to pick a manageable subset.

 <<opessecreq20010815.html>>

Note: this is a preliminary version aimed at stimulating discussion. This is likely more than is necessary. I listed everything that I thought of. Some of this may be redundent, may be too difficult to design or implement, or may require work that would not fall under OPES.
14-Aug-2001

Suggested OPES Requirements for Integrity, Privacy and Security

OPES content integrity requirements

1. OPES Intermediaries must not alter any Content unless expressly permitted to by the Content Provider or the End User.
2. An extensible Content Providers Intermediaries Permissions format for use by Content Providers must be defined indicating what parts of content can be modified and what modifications are allowed. This must allow different permissions for different resources.
3. A means for OPES Intermediaries to fetch Content Providers Intermediaries Permissions documents must be provided. One means must be inclusion of an OPES Intermediaries Permissions document at a well known place on the Web site (similar to P3P).
4. In response to OPES Intermediaries identifying themselves during a request for a resource (below), a Content Provider must be able to inform an OPES intermediary not to act on the response.
5. An extensible End User Intermediaries Permissions format for use by End Users must be defined indicating what types of Intermediary activities they allow. This must allow different permissions for different requests.
6. A means to pass End User Intermediaries Permissions to OPES Intermediaries as part of a resource request must be defined.
7. A means for either a Content Provider or End User to indicate Intermediary activity is limited to passing on the request or response must be provided.
8. A means to digitally sign both Content Provider and End User Intermediaries Permissions must be provided.

OPES End to End data integrity

The following requirements are not aimed at implementations of Intermediaries. Rather, they enable Content Providers to take action to allow End User Agents (or others) to check that content has not being altered by Intermediaries (or by hackers changing the Web site).

1. A format for use at a Web site to associate digital signatures with parts of content should be designed. This will enable End User agents (or others) to check content integrity to ensure parts of pages not intended to be transformed have been left unchanged. W3C Signatures is designed for doing this type of format.
2. A means for creating temporary versions of the integrity check format for dynamically created content should be possible.
3. A mechanism should be defined to allow End Users (or others) to retrieve integrity checking information for resources from a Web Site. One mechanism for retrieving this information is placement at a well known place on the Web site (similar to P3P).

OPES privacy requirements

1. OPES Intermediaries must not violate a Web site's W3C P3P policy applicable to a resource (P3P policy are found at the Content Providers Web Site).
2. Both Users and Content Providers must be able to define additional privacy requirements that apply to Intermediaries in an Intermediaries Privacy policy. P3P describes privacy policy end to end, but a more restrictive privacy policy may be desirable at Intermediaries. The Intermediaries Privacy Policy must include the ability to specify what information can be recorded by Intermediaries and how it is used (similar to P3P).
3. A mechanism must be established for OPES Intermediaries to access a Content Provider's Intermediaries Privacy policy. One method for Content Providers must be to place an Intermediaries Privacy policy document at a well known place on their Web site.
4. A mechanism must be established for OPES Intermediaries to receive an End User's Intermediaries Privacy policy.
5. OPES Intermediaries must honor both End User and Content Provider Intermediaries Privacy policies.
6. OPES Intermediaries Privacy policies must be able to specify what information Intermediaries can or cannot record, including cookies, IP addresses, HTTP header fields and how they can use that information.
7. OPES Intermediaries Privacy policies must be able to specify what information can or cannot be passed by OPES Intermediaries to OPES callout services, including cookies, IP addresses, HTTP header fields.
8. OPES Intermediaries Privacy policies must be able to specify that OPES Intermediaries must indicate what information has been recorded. This information must be passed to the Content Provider on requests and must also be returned to the end User in responses.
9. OPES Privacy policies must be able to specify that OPES Intermediaries should pass through requests or responses without OPES callouts.

OPES activity reporting requirements

1. OPES Intermediaries must announce their presence and identity and the type of activity they perform either on the request or a response in a way detectable by Content Providers on requests.
2. OPES Intermediaries must announce their presence and identity and the activity they performed in a way detectable by End Users on responses.
3. OPES Intermediaries must provide notification to a Content Provider that a request has been changed. This notification must include the identity of the OPES intermediary and what information was altered (header fields, etc.). The OPES Intermediaries must ensure this information is also included in the response back to the End User.
4. OPES Intermediaries must provide notification to the End User that a response has been changed. This notification must include the identity of the OPES intermediary and what information was altered (header fields, etc.)
5. OPES Intermediaries must provide notification to the End User that a response has been filtered to look for particular contents. An indication must be included that can be used to determine what kind of filtering was applied in examining content. This could be an URL pointing to a Web page that describes what the filter looks for.

OPES Intermediaries management security requirements

1. There is no requirement to specify how to add or remove an OPES Intermediary device into the data path. That is determined by OPES product vendors and their customers.
2. A format must be provided to add or remove an OPES callout service in an OPES Intermediary. This format must includes a means to digitally sign the request. The format must allow inclusion of OPES Intermediary vendor specific information.
3. The format for adding services must be able to require a particular means of secure transmission of data between OPES intermediary and a callout service.
4. OPES product vendors can create their own, possibly proprietary mechanisms for how to use the service add/remove format to add new services to an OPES Intermediary. OPES product vendors also determine how they use the digital signature in the service add/remove format. There is no requirement for the inititial version of OPES to specify a standard mechanism for automating adding or removing a callout service in an OPES Intermediary.
5. A format must be provided for creating or modifying rules that determine when callout services are invoked by an Intermediary. This format must include a means to digitally sign the request.
6. OPES product vendors can create their own mechanisms for specifying what signatures will be considered authorized for adding or modifying rules for service invocation. OPES product vendors determine how they use the digital signature in the service rules modification format. There is no requirement for the inititial version of OPES to specify a standard mechanism.