Uploaded image for project: 'Request For Comments'
  1. Request For Comments
  2. RFC-326

Require https: as default for all public Web services

    Details

    • Type: RFC
    • Status: Implemented
    • Resolution: Done
    • Component/s: DM
    • Labels:
      None
    • Location:
      On this ticket

      Description

      We have not yet adopted an implementation standard for the range of Web services that the project will offer.

      This RFC recommends that DM adopt a policy that, in the absence of a specific technical justification and acceptance by the LSST ISO (at least), all Web services exposed to users and the public Internet should be https: services.

      By way of example, this would by default include the DAX VO and other LSST-specific REST services, the SUIT "Portal aspect" Web pages and associated Web APIs, and the "Notebook aspect" JupyterHub/JupyterLab services.

      The expectation that the LSR and OSS requirements to implement data access policies limiting data access to identified rights holders will require all, or nearly all, data access to be authenticated provides a strong technical justification for this policy (though this is not precisely mandatory from a technical perspective).

      In addition, it appears to be appropriate "technical best practice" in the current Internet environment, in the absence of good reasons to do otherwise.

      We do specifically contemplate the possibility of justified exceptions - this RFC is only about setting a default.

      If this RFC passes within DM, I would advocate that we proceed to elevate it to a project-wide design standard via the normal change control process. DM's systems engineering group, and then the project SE group, should consider whether to treat this as a requirement or as a design rule under change control but not in the requirements hierarchy (though it might still be expressed in component-level requirements for concreteness).

        Attachments

          Issue Links

            Activity

            Show
            ktl Kian-Tat Lim added a comment - Also see https://https.cio.gov/ and https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf
            Hide
            gpdf Gregory Dubois-Felsmann added a comment -

            At the DMLT meeting today we agreed to proceed with approval of this RFC. I have the action to define what the implementation actions are (i.e., which documents need to be edited to reflect this policy). I'll do this with Tim Jenness this week; we'll consult with all the groups that are going to be running services.

            Show
            gpdf Gregory Dubois-Felsmann added a comment - At the DMLT meeting today we agreed to proceed with approval of this RFC. I have the action to define what the implementation actions are (i.e., which documents need to be edited to reflect this policy). I'll do this with Tim Jenness this week; we'll consult with all the groups that are going to be running services.
            Hide
            gpdf Gregory Dubois-Felsmann added a comment - - edited

            Just to reiterate an important point: the implementation action will be very clear that this is a default policy but that specific exceptions can be made when technically justified and accepted by the ISO.

            Show
            gpdf Gregory Dubois-Felsmann added a comment - - edited Just to reiterate an important point: the implementation action will be very clear that this is a default policy but that specific exceptions can be made when technically justified and accepted by the ISO.
            Hide
            gpdf Gregory Dubois-Felsmann added a comment -

            Before I get a storm of emails: I've already corrected "CIO" to "ISO" above...

            Show
            gpdf Gregory Dubois-Felsmann added a comment - Before I get a storm of emails: I've already corrected "CIO" to "ISO" above...
            Hide
            gpdf Gregory Dubois-Felsmann added a comment -

            This RFC was adopted by the DMLT some weeks ago. Implementation actions were created today to a) add the policy to LDM-148 and b) pursue an RFC to promote the policy to project level.

            Show
            gpdf Gregory Dubois-Felsmann added a comment - This RFC was adopted by the DMLT some weeks ago. Implementation actions were created today to a) add the policy to LDM-148 and b) pursue an RFC to promote the policy to project level.

              People

              • Assignee:
                gpdf Gregory Dubois-Felsmann
                Reporter:
                gpdf Gregory Dubois-Felsmann
                Watchers:
                Alexander Withers [X] (Inactive), Donald Petravick, Fritz Mueller, Frossie Economou, Gregory Dubois-Felsmann, John Swinbank, Jonathan Sick, Joshua Hoblitt, Kian-Tat Lim, Tim Jenness, Trey Roby, Xiuqin Wu [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Planned End:

                  Summary Panel