[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
AW: [smila-dev] Smila Security Concept
|
Hi Leo,
first, thank you for your valuable input!
> Generally, I see that the security considerations should be taken more
> deeply,
> for example by looking into the dark cave of SASL/LDAP/Kerberos for
> wisdom about authentification,
> but for storing user identification and group identification of
indexed
> content, I see a complex thing coming up.
As Daniel stated right at the beginning of the description section, this
specification considers only the authorization aspect of the security.
The authentication aspect will be covered in another specification. Our
colleagues from brox have already been working on this and the single
sign-on (SSO) topic and will soon publish their work so that we have the
complete coverage of security in SMILA.
> Also, storing these sensible information into normal attributes makes
it
> open for easier hacking,
> I wonder if some fields should be in protected areas of records.
I understand your concerns, but this problem is not limited only to
document's security information but also to its content and metadata.
What you are talking about is something that I would call the "general
data encryption" issue. In other words: The encryption of all
information (access rights, metadata and the content) that flows
throughout SMILA and is being persisted in storages. This case is
relevant if you do not trust the network that connects SMILA nodes
and/or you do not want the SMILA administrator to be able to read/modify
any data.
Currently we haven't posed such requirement on SMILA, but if you think
that this might be a relevant in your SMILA based projects, please feel
free to open a new Wiki page and address this issue and let us discuss
it.
Best Regards
Igor
