W. Carr
Intel Corporation
16 August 2001
Suggested OPES Requirements for Integrity, Privacy and Security
Abstract
Intermediary devices are widely deployed to provide services like caching or
virus checking. OPES is intended to provide a framework to enable pluggable
services in Intermediaries that provide these services.
This framework can also provide greater assurance that Content Provider and
End User expectations about Content Integrity and Privacy are met. This
document proposes a set of Content Integrity, Privacy and Security
requirements for the OPES framework.
1. Introduction
Intermediaries are deployed to help scale the WWW or to add additional
services like virus checking. It is important to ensure Intermediaries
provide their benefits while maintaining end to end Integrity and privacy.
Intermediaries should not provide application level services that are not
requested by either the Content Provider or End User. This document
contains a set of suggested requirements for the OPES framework.
This is a preliminary version aimed at stimulating discussion. This is
likely more than is necessary. Some of this may be redundant, may be too
difficult to design or implement, or may require work that would not fall
under OPES (i.e. could be in W3C's domain).
2. Terminology
OPES Intermediary - An application level web device that is part of a
transaction but is neither the originating or terminating device in a
transaction. In HTTP, this includes proxies, surrogates and other gateways
that are neither End Users or Content Providers
OPES - Open Pluggable Edge Services. OPES is a framework that enables
plugging new services in at Intermediaries. Services are must be authorized
by either Content Provider or End User.
OPES Call Out Service - A service called by an OPES Intermediary to perform
some action on behalf of the Content Provider or End User.
Content Provider - The end points in a transaction that is the originating
source of the Content. It is the end point the End User seeks content from.
End User - The end point in a transaction that requests Content from the
Content Provider.
Content Providers Intermediaries Permissions format - a format used to
describe what activities Intermediaries are permitted to take on behalf of
Content Providers.
End User Intermediaries Permissions format - a format used to describe what
activities Intermediaries are permitted to take on behalf of End Users.
Content Provider Intermediaries Privacy policy format - a format used to
describe privacy requirements aimed at Intermediaries. These requirements
can be more stringent for Intermediaries than end to end W3C P3P privacy
policy for the actions by the Content Provider.
End User Intermediaries Privacy policy format - a format used to describe
privacy requirements aimed at Intermediaries. These requirements can be
more stringent for Intermediaries than end to end W3C P3P privacy policy for
the actions by the Content Provider.
3. OPES Content Integrity Requirements
3.1 OPES Intermediaries must not alter any Content unless expressly
permitted to by the Content Provider or the End User.
3.2 An extensible Content Providers Intermediaries Permissions format for
use by Content Providers must be defined indicating what parts of content
can be modified and what modifications are allowed. This must allow
different permissions for different resources.
3.3 A means for OPES Intermediaries to fetch Content Providers
Intermediaries
Permissions documents must be provided. One means must be inclusion of an
OPES
Intermediaries Permissions document at a well-known place on the Web site
(similar to P3P). Another means for providing Content Providers
Intermediaries Permissions must be to provide a Content Providers
Intermediaries Permissions document directly to an Intermediary as part of
authorization of that Intermediary by the Content Provider. The document
delivered in this way must have an expiration date associated with it.
3.5. If the Content Providers Intermediaries Permissions document requires
identification of Intermediaries in requests, then in the response to OPES
Intermediaries identifying themselves during a request for a resource
(below), a Content Provider must be able to inform an OPES intermediary not
to act on the response.
3.6. An extensible End User Intermediaries Permissions format for use by End
Users must be defined indicating what types of Intermediary activities they
allow. This must allow different permissions for different requests.
3.7. A means to pass End User Intermediaries Permissions to OPES
Intermediaries as part of a resource request must be defined.
3.7. A means for either a Content Provider or End User to indicate
Intermediary activity is limited to passing on the request or response must
be provided.
3.8 A optional means to digitally sign both Content Provider and End User
Intermediaries Permissions must be provided.
4. OPES End to End Data Integrity
The following requirements are not aimed at implementations of
Intermediaries. Rather, they enable Content Providers to take action to
allow End User Agents (or others) to check that content has not being
altered by Intermediaries (or by hackers changing the Web site).
4.1 A format for use at a Web site to associate digital signatures with
parts of content should be designed. This will enable End User agents (or
others) to check content integrity to ensure parts of pages not intended to
be transformed have been left unchanged. W3C Signatures should be used if
practical.
4.2 A means for creating temporary versions of the integrity check format
for dynamically created content should be possible.
4.3 A mechanism should be defined to allow End Users (or others) to retrieve
integrity checking information for resources from a Web Site. One mechanism
for retrieving this information is placement at a well-known place on the
Web site (similar to P3P).
5. OPES Privacy requirements
5.1 OPES Intermediaries must not violate a Web site's W3C P3P policy
applicable to a resource (P3P policy are found at the Content Providers Web
Site).
5.2 Both Users and Content Providers must be able to define additional
privacy
requirements that apply to Intermediaries in an Intermediaries Privacy
policy. P3P describes privacy policy end to end, but a more restrictive
privacy policy may be desirable at Intermediaries. The Intermediaries
Privacy Policy must include the ability to specify what information can be
recorded by Intermediaries and how it is used.
5.3 A mechanism must be established for OPES Intermediaries to access a
Content
Provider's Intermediaries Privacy policy. One method for Content Providers
must be to place an Intermediaries Privacy policy document at a well known
place on their Web site. Another method must be to supply it to the
Intermediary when the Content Provider Authorizes activity by the
Intermediary.
5.4 A mechanism must be established for OPES Intermediaries to receive an
End User's Intermediaries Privacy policy.
5.5 OPES Intermediaries must honor both End User and Content Provider
Intermediaries Privacy policies.
5.6 OPES Intermediaries Privacy policies must be able to specify what
information Intermediaries can or cannot record, including cookies, IP
addresses, HTTP header fields and how they can use that information.
5.7 OPES Intermediaries Privacy policies must be able to specify what
information can or cannot be passed by OPES Intermediaries to OPES callout
services, including cookies, IP addresses, HTTP header fields.
5.8 OPES Intermediaries Privacy policies must be able to specify that OPES
Intermediaries must indicate what information has been recorded. This
information must be passed to the Content Provider on requests (if required
by the Content Provider's Intermediary Privacy policy) and must also be
returned to the End User in responses (default, even when no End User
Intermediaries Privacy Policy is available).
5.9 OPES Intermediaries Privacy policies must be able to specify that OPES
Intermediaries should pass through requests or responses without OPES
callouts.
6. OPES activity reporting requirements
6.1 OPES Intermediaries must announce their presence and identity and the
type of activity they perform either on the request or a response in a way
detectable by Content Providers on requests if that is required in the
Content Providers Intermediaries Permissions document. This requirement
must not limit the ability to use cached resources that are still valid.
6.2 OPES Intermediaries must announce their presence and identity and the
activity they performed in a way detectable by End Users on responses unless
waived in End User Intermediaries Permissions.
6.3 OPES Intermediaries must provide notification to a Content Provider that
a request has been changed if that is required in the Content Providers
Intermediaries Permissions. This notification must include the identity of
the OPES intermediary and what information was altered (header fields,
etc.). The OPES Intermediaries must ensure this information is also included
in the response back to the End User unless the End User Intermediaries
Permissions waives this requirement.
6.4 OPES Intermediaries must provide notification to the End User that a
response has been changed. This notification must include the identity of
the OPES intermediary and what information was altered (header fields, etc.)
unless the End User Intermediaries Permissions waives this requirement.
6.5 OPES Intermediaries must provide notification to the End User that a
response has been filtered to look for particular contents. An indication
must be included that can be used to determine what kind of filtering was
applied in examining content. This could be an URL pointing to a Web page
that describes what the filter looks for. The End User Intermediaries
Permissions must provide a way for the End User to waive this requirement.
7. OPES Intermediaries management security requirements
7.1 There is no requirement to specify how to add or remove an OPES
Intermediary device into the data path. That is determined by OPES product
vendors and their customers.
7.2 A format must be provided to add or remove an OPES callout service in an
OPES Intermediary. This format must include a means to digitally sign the
request. The format must allow inclusion of OPES Intermediary vendor
specific information (that could be necessary for authorization).
7.3 The format for adding services must be able to require a particular
means of secure transmission of data between OPES intermediary and a callout
service.
7.4 OPES product vendors can create their own, possibly proprietary,
mechanisms for how to use the service add/remove format to add new services
to an OPES Intermediary. OPES product vendors also determine how they use
the digital signature in the service add/remove format. There is no
requirement for the initial version of OPES to specify a standard mechanism
for automating adding or removing a callout service in an OPES Intermediary.
7.5 A format must be provided for creating or modifying rules that determine
when callout services are invoked by an Intermediary. Callout services must
never be invoked without this authorization. This format must include a
means to digitally sign the request. This format when used by Content
Providers must include a way to include their OPES Intermediaries
Permissions and OPES Privacy Documents.
7.6 OPES product vendors can create their own mechanisms for specifying what
signatures will be considered authorized for adding or modifying rules for
service invocation. OPES product vendors determine how they use the digital
signature in the service rules modification format. There is no requirement
for the initial version of OPES to specify a standard mechanism.