Next:
1. Disclaimer and Copyright,
Up:
CORBASEC Frequently Asked Questions
Previous:
CORBASEC Frequently Asked Questions
Contents
Contents
1
. Disclaimer and Copyright, Copying, and Other Information
1
.
1
Disclaimer
1
.
2
Copyright Policy
1
.
3
Who sponsors the FAQ?
2
. About this FAQ
2
.
1
Why is this FAQ created?
2
.
2
Notations
2
.
3
Who should read it?
2
.
4
How should I read this FAQ?
2
.
5
Where can I get the most recent copy of this FAQ?
2
.
6
I could not find an answer to my question here, where else can I ask my question?
2
.
7
Are there any newsgroups or mailing lists about CORBASEC that I can join?
2
.
8
Who is maintaining this FAQ?
2
.
9
What is SecSIG?
2
.
10
What is secsig@omg.org mail list for?
2
.
11
What is SecRTF?
2
.
12
I found a mistake in this FAQ, where can I submit it?
2
.
13
How can I contribute to this FAQ?
2
.
14
Who contributed to this FAQ?
2
.
15
Wish list
3
. General Questions
3
.
1
What's ``CORBA Security Service''?
3
.
2
What's ``CORBASEC''?
3
.
3
What's the difference between ``CORBA Security Service'' and ``CORBASEC''?
3
.
4
What's CORBA?
3
.
5
Where can I find more about CORBA?
3
.
6
Where can I find more about CORBASEC?
3
.
7
What books describe or review CORBASEC and in what detail?
3
.
7
.
1
``Instant CORBA''
3
.
8
What magazine publications describe, review, compare, critique CORBASEC?
3
.
9
Are there any papers or articles that compare CORBA security with security of other distributed object computing frameworks such as Java RMI or DCOM?
3
.
10
Where can I get a tutorial about CORBASEC?
3
.
11
What papers about CORBASEC and related issues are out there?
3
.
12
Is there any group or lab research on CORBA security service?
4
. CORBASEC specification
4
.
1
General
4
.
1
.
1
Where can I get the official specification of CORBASEC?
4
.
1
.
2
Where can I get IDL code of CORBASEC interfaces?
4
.
1
.
3
What is the current version of CORBASEC official specification?
4
.
1
.
4
Are there any upcoming updates of the specification?
4
.
1
.
5
Who is responsible for producing specification updates?
4
.
1
.
6
Are there any upcoming new releases of the specifications?
4
.
1
.
7
Who is responsible for producing new specification releases?
4
.
1
.
8
Where can I find a list of outstanding issues in CORBASEC specification?
4
.
1
.
9
I found a typo in the specification, where can I submit it?
4
.
1
.
10
Is there a set of UML diagrams for the CORBASEC Specification?
4
.
1
.
11
I found an error in the specification, where can I submit it?
4
.
1
.
12
I have an idea how to ``improve'' the specification, where can I propose it?
4
.
1
.
13
What are the shortcomings of CORBA Security service?
4
.
1
.
14
Is it completely true that the CORBA Security service is a direct lift of DCE Security?
4
.
1
.
15
What is "Principal", and what is meant by "Principal authentication"?
4
.
1
.
16
What are credentials?
4
.
1
.
17
How are attributes used?
4
.
1
.
18
What does it mean to be conformant to CORBA Security specification?
4
.
1
.
19
What about conformance to the Common Secure Interoperability specification?
4
.
1
.
20
What are the protocols used by CSI?
4
.
1
.
21
What about CSI with SSL?
4
.
1
.
22
What is a "Session"?
4
.
1
.
23
How does security context get established between client and server?
4
.
1
.
24
Is there somewhere a description of the context management?
4
.
1
.
25
What is the validity of a context?
4
.
1
.
26
Does a new context for a target have be established if a client is accessing a new target on the same server?
4
.
1
.
27
Will the current context be valid for all requests of the client (and all replies of the server) till the client decides that the context is not valid anymore?
4
.
1
.
28
Which instance manages the contexts?
4
.
1
.
29
Which instance decides that now, the "Session" is over, and the context can be deleted?
4
.
1
.
30
Are the any interfaces specified in CORBASEC for controlling security context by security-aware applications?
4
.
1
.
31
How is access controlled?
4
.
1
.
32
How are privacy and non-repudiation addressed by CORBASEC?
4
.
2
Application developer
4
.
2
.
1
How does CORBA security affect application writers?
4
.
2
.
2
Do we need to pass the UserId as a parameter or there is some other way of getting it?
4
.
2
.
3
How would one incorporate security into an ORB system in the next 6 months, so that the solution would not be obsoleted in the following 6?
4
.
2
.
4
Does CORBA security guarantee that the request and reply are not tampered and not intercepted on their way between the client and the target?
4
.
2
.
5
Is it necessary to secure naming service?
4
.
2
.
6
How to come up with application security design using CORBA Security service?
4
.
2
.
7
How does a security-aware application specify the use of a specific algorithms for supporting communication confidentiality and integrity?
4
.
2
.
8
What is available in CORBASEC for strong (writer-to-reader) authentication?
4
.
3
Administrator
4
.
3
.
1
What are the semantic connotations for rights in CORBA rights family?
4
.
3
.
2
How to use the access control mechanism?
4
.
3
.
3
Do I have to "protect" every object, even those which are not thought to be used from outside?
4
.
3
.
4
How is related work at OMG on Security Administration and Common Management Facilities ?
4
.
3
.
5
What is the granularity of access control on object invocations?
4
.
3
.
6
Where are access control lists stored?
4
.
3
.
7
How do servers ``know'' what domain to put new objects into and when to create new security policy domains?
4
.
3
.
8
What about transient objects created by factories?
4
.
3
.
9
How would access control mechanisms be applied to secure, let's say, naming service?
4
.
4
Implementor
4
.
4
.
1
Where can I find some source code which implementation Security Service?
4
.
4
.
2
Is there any document on how to implement the CORBA security service?
4
.
4
.
3
If I want implement the CORBA security service, what should I do?
4
.
4
.
4
What is the intent of the credentials object design?
4
.
4
.
5
Does the existing Authorization Service of CORBASec scale in a "well" distributed-object environment?
4
.
4
.
6
Can a client implementation circumvent administrative security policies?
4
.
4
.
7
What is the "public" security attribute of a principal?
4
.
4
.
8
Under what circumstances do
Credentials
contain the ``public'' attribute?
4
.
4
.
9
What is the value and the defining authority of the ``public'' attribute?
5
. CORBASEC implementations
5
.
1
General
5
.
1
.
1
Where can I find an implementation of Security Services ?
5
.
1
.
2
Where can I find exactly what product implements what Security level and options?
5
.
1
.
3
What ORBs claim to have ``security'' functionality?
5
.
1
.
4
Does anyone know of a product that is IIOP compliant and provides CORBA security service level 1?
5
.
1
.
5
Is there any free/trial/evaluation version of an ORB with Security Service for Java?
5
.
1
.
6
What would be the most suitable ORB product(s) when buliding a (very) small lab for evaluating, testing and implementing security functions in a CORBA system?
5
.
1
.
7
Are CORBAsec implementations from the US generally subjected to export control?
5
.
2
Particular Implementations
5
.
2
.
1
DAIS Security
5
.
2
.
1
.
1
What is DAIS Security?
5
.
2
.
1
.
2
What is the current version of DAIS Security
5
.
2
.
1
.
3
What is the current status of DAIS Security?
5
.
2
.
1
.
4
Does DAIS conform to CORBASEC specifications?
5
.
2
.
1
.
5
Why did ICL choose the CSI-ECMA security mechanism in its DAIS Security implementation?
5
.
2
.
1
.
6
What features does DAIS Security offer?
5
.
2
.
1
.
7
What is the advantage of using roles in DAIS Security?
5
.
2
.
1
.
8
What are the advantages (and disadvantages) of using public key technology in DAIS Security?
5
.
2
.
1
.
9
What are the advantages (and disadvantages) of using secret key technology (passwords) in DAIS Security?
5
.
2
.
1
.
10
Why have domains in DAIS Security?
5
.
2
.
1
.
11
Why policy domains?
5
.
2
.
1
.
12
Where can find more information on DAIS Security?
5
.
2
.
2
OrbixSecurity
5
.
2
.
2
.
1
What is the conformance level of OrbixSecurity?
5
.
2
.
2
.
2
Where do I start from in order to use OrbixSecurity?
5
.
2
.
2
.
3
What DCE components are required to use OrbixSecurity?
5
.
2
.
2
.
4
Can a user on a remote machine still run the server and call its methods if he or she changes their username on the remote machine deliberately to match the registered users list?
5
.
2
.
2
.
5
What authentication process is used in OrbixSecurity?
5
.
2
.
2
.
6
How does OrbixSecurity work and how and what component of DCE needs to be installed?
5
.
2
.
2
.
7
Can we use Orbix security to provide Access control at Object instance level?
5
.
2
.
2
.
8
Authentication Security Exception
5
.
3
VisiBroker
5
.
3
.
1
Does anyone has experience on implementing system access control and security service using VisiBroker for Java?
5
.
4
omniORB
44
5
.
4
.
1
If there is a security service supported by omniORB and if not are there any plans to create one?
5
.
5
Intraverse
5
.
5
.
1
Has anybody integrated DASCOM's Intraverse and Entrust (PKI), and Iona's OrbixWeb?
6
. Applying CPRBASEC
6
.
1
How do I secure a Naming Service?
6
.
2
How can security-aware applications apply confidentiality and integrity to data (e.g. electronic documents)?
6
.
3
Is it possible to specify the data to be protected as a parameter to the interface, or as data protection service?
7
. Related Security Technologies
7
.
1
SESAME
7
.
1
.
1
What is SESAME?
7
.
1
.
2
How does SESAME work?
7
.
1
.
3
How does SESAME relate to Kerberos?
7
.
1
.
4
How does SESAME relate to the CORBA Security service?
7
.
1
.
5
How do I find more information about SESAME?
7
.
1
.
6
How do I to get SESAME API?
7
.
2
GSS-API
7
.
2
.
1
What is GSS-API?
7
.
2
.
2
How do I to get GSS API ?
7
.
3
Kerberos
7
.
4
DCE Security
7
.
5
SSL
7
.
5
.
1
Where can I find more about SSL?
7
.
5
.
2
Have the OMG specified SSL in any standard yet?
7
.
5
.
3
Where can I find the specification of IIOP over SSL?
7
.
5
.
4
Does anybody know a ORB vendor who provides a SSL functionality with their product?
7
.
5
.
5
Is there a free implementation of CORBA SSL service that will work with VisiBroker 3.* for Java?
7
.
5
.
6
If I use naming service and VisiBroker, can I cooperate SSL into the system?
7
.
5
.
7
How easy it is to use the Visibroker SSL pack with a Java application for the developer as well as the user?
7
.
5
.
8
Is there an additional client side piece that must be installed in order to use the Visibroker SSL pack with a Java application?
7
.
5
.
9
Between what parties does authentication happen when the client and the server communicate over SSL via Visibroker's Gatekeeper?
7
.
5
.
10
Do any third-party companies have SSL security systems that can be incorporated into either Orbix or Visibroker?
7
.
5
.
11
Does SSL raise any firewall problems when accessing from the outside internet?
7
.
5
.
12
Do SSL security implementations with CORBA solve or change the problem of securely linking an object reference to the principal that it represents?
7
.
5
.
13
What SSL implementations are known to [not] interoperate?
7
.
5
.
14
Does the SSL-certificate certify the server or the object?
7
.
5
.
15
What is the normal way of asserting that unauthorized clients cannot connect to an object that an authenticated client is using?