Uploaded image for project: 'Request For Comments'
  1. Request For Comments
  2. RFC-326

Require https: as default for all public Web services

    XMLWordPrintable

Details

    • RFC
    • Status: Implemented
    • Resolution: Done
    • DM
    • None
    • On this ticket

    Description

      We have not yet adopted an implementation standard for the range of Web services that the project will offer.

      This RFC recommends that DM adopt a policy that, in the absence of a specific technical justification and acceptance by the LSST ISO (at least), all Web services exposed to users and the public Internet should be https: services.

      By way of example, this would by default include the DAX VO and other LSST-specific REST services, the SUIT "Portal aspect" Web pages and associated Web APIs, and the "Notebook aspect" JupyterHub/JupyterLab services.

      The expectation that the LSR and OSS requirements to implement data access policies limiting data access to identified rights holders will require all, or nearly all, data access to be authenticated provides a strong technical justification for this policy (though this is not precisely mandatory from a technical perspective).

      In addition, it appears to be appropriate "technical best practice" in the current Internet environment, in the absence of good reasons to do otherwise.

      We do specifically contemplate the possibility of justified exceptions - this RFC is only about setting a default.

      If this RFC passes within DM, I would advocate that we proceed to elevate it to a project-wide design standard via the normal change control process. DM's systems engineering group, and then the project SE group, should consider whether to treat this as a requirement or as a design rule under change control but not in the requirements hierarchy (though it might still be expressed in component-level requirements for concreteness).

      Attachments

        Issue Links

          Activity

            ktl Kian-Tat Lim added a comment - Also see https://https.cio.gov/ and https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf

            At the DMLT meeting today we agreed to proceed with approval of this RFC. I have the action to define what the implementation actions are (i.e., which documents need to be edited to reflect this policy). I'll do this with tjenness this week; we'll consult with all the groups that are going to be running services.

            gpdf Gregory Dubois-Felsmann added a comment - At the DMLT meeting today we agreed to proceed with approval of this RFC. I have the action to define what the implementation actions are (i.e., which documents need to be edited to reflect this policy). I'll do this with tjenness this week; we'll consult with all the groups that are going to be running services.
            gpdf Gregory Dubois-Felsmann added a comment - - edited

            Just to reiterate an important point: the implementation action will be very clear that this is a default policy but that specific exceptions can be made when technically justified and accepted by the ISO.

            gpdf Gregory Dubois-Felsmann added a comment - - edited Just to reiterate an important point: the implementation action will be very clear that this is a default policy but that specific exceptions can be made when technically justified and accepted by the ISO.

            Before I get a storm of emails: I've already corrected "CIO" to "ISO" above...

            gpdf Gregory Dubois-Felsmann added a comment - Before I get a storm of emails: I've already corrected "CIO" to "ISO" above...

            This RFC was adopted by the DMLT some weeks ago. Implementation actions were created today to a) add the policy to LDM-148 and b) pursue an RFC to promote the policy to project level.

            gpdf Gregory Dubois-Felsmann added a comment - This RFC was adopted by the DMLT some weeks ago. Implementation actions were created today to a) add the policy to LDM-148 and b) pursue an RFC to promote the policy to project level.

            People

              gpdf Gregory Dubois-Felsmann
              gpdf Gregory Dubois-Felsmann
              Alexander Withers [X] (Inactive), Donald Petravick, Fritz Mueller, Frossie Economou, Gregory Dubois-Felsmann, John Swinbank, Jonathan Sick, Joshua Hoblitt, Kian-Tat Lim, Tim Jenness, Trey Roby, Xiuqin Wu [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                Planned End:

                Jenkins

                  No builds found.