[x3d-public] [X3D-Public] X3D Security capabilities and needs

John Richardson richards at spawar.navy.mil
Mon Jan 5 16:07:01 PST 2015


Hello,

Being sort of lazy since I could read every spec......

But it seems that many applications can be attacked by attacking the
applications implementation of specifications [Open Geospatial Consortium,
Web3D, every XML/DOM type of spec,....].

So, is there a discussion available of general web application security for
X3D/WebGL/HTML5/.....

Example: Can you point me to the Data Flow diagrams for Xj3dEdit?

John F. Richardson

-----Original Message-----
From: x3d-public [mailto:x3d-public-bounces at web3d.org] On Behalf Of Don
Brutzman
Sent: Saturday, January 03, 2015 11:12 AM
To: info at 3dnetproductions.com; 'Christoph Valentin'
Cc: 'Web3D Consortium Members'; 'X3D Graphics public mailing list'
Subject: Re: [x3d-public] [X3D-Public] X3D Security capabilities and needs

Christoph, again thanks for your feedback a few weeks ago.

I've integrated numerous points (including yours) and added them to X3D
Resources - Security.

Continued scrutiny, issues and improvements continue to be welcome in this
important area.

http://www.web3d.org/x3d/content/examples/X3dResources.html#Security
============================================================================
========
Security

The .x3d encoding is XML based, which means that the full power of Web
Security can be applied to X3D Graphics models.

     X3D Security Examples demonstrate conversions for XML Encryption and
XML Signature (digital authentication)
     X3D Security Examples README describes technical detail about how all
this works.

X3D capabilities for model security, existing and emerging:

     Multiple forms of validation are available to prevent unwanted
insertions of malicious content in X3D models.
     Strongly typed metadata can be inserted in any X3D model. Interchange
conventions are expected to emerge with growing usage.
     Security mechanisms can be applied to high levels of detail (LOD),
allowing authors to protect intellectual property at high resolution for
authorized users while still rendering simple unrestricted models for other
users.
     XML Security compatibility, specifically the XML Encryption and XML
Digital Signature (authentication) Recommendations.
     XML Security mechanisms can be applied to entire scenes in .x3d files
(XML documents) or scene subgraphs within an .x3d file (XML fragments).
     XML Security mechanisms allow declaration of relevant encryption
algorithms in the envelope header.
     XML Security software is broadly available and usable by international
partners in any context, including Web commerce.
     Data-centric security is independent of network-transport security.
     W3C Efficient XML Interchange (EXI) Working Group is ensuring that
XML-based data compression can be used compatibly with XML Security.
     W3C Security Interest Group serves as a forum for discussion about
improving standards and implementations to advance the security of the Web.
     Most of these capabilities are demonstrated and formalized already.
Some are working-group efforts in progress. This emerging combination of
capabilities can thus be considered low risk, with high probability of full
convergence eventually occurring.

X3D player and tool support for security:

     X3D-Edit authoring tool.
     Advanced developers can use native XML tools. Open security by design
provided by XML Security is the strongest approach for international use.
     Proprietary encryption tools are occasionally available. User beware:
security through obscurity is not strong security.
     Required support for secure url addresses using https and ssl/tls
protocols are likely to be included in X3D versions 3.4 and 4.0.
     TODO: better built-in support is needed by X3D players and tools.

Interested? The Web3D Consortium X3D Working Group participates in the W3C
Security Activity to continue taking advantage of ongoing developments.
Member participation is welcome.  
============================================================================
========

On 12/13/2014 7:24 PM, GLG wrote:
> If this is a new thread, I did not see original/previous message(s).
> Replying to Christoph here:
>
> My opinion is that security capabilities can be extremely important to 
> all countries/companies. How else can intellectual property be 
> protected if anyone wishes to do so? Not every business model can abide to
open source.
> There is also an inherent need for security and fraud protection for 
> many types of applications. Without the ability to fulfill  either one 
> of these needs, X3D would simply not be an option in many scenarios. I 
> view world encryption as essential but only a part of the solution, 
> SSL support/compatibilty has to come into play for real protection. 
> Lauren,
>
> -----Original Message-----
> From: X3D-Public [mailto:x3d-public-bounces at web3d.org] On Behalf Of 
> Christoph Valentin
> Sent: Saturday, December 13, 2014 4:41 AM
> To: Don Brutzman
> Cc: Web3D Consortium Members; X3D Graphics public mailing list
> Subject: Re: [X3D-Public] X3D Security capabilities and needs
>
>>> Feedback welcome. How important is this to authors and applications?
>
> This is just my private opinion: I think it is very important to 
> authors and applications.
>
> Reason: Rich, developed countries/companies can afford to cope with 
> open source data models, because they can make "big money" with the 
> surrounding services (writing books, consultants, .....), but poor, 
> developing countries/companies need to make "little money" with the 
> help of protected models.
>
> Just my private opinion, as I said. I can be wrong.
>
> _______________________________________________
> X3D-Public mailing list
> X3D-Public at web3d.org
> http://web3d.org/mailman/listinfo/x3d-public_web3d.org
>


all the best, Don
-- 
Don Brutzman  Naval Postgraduate School, Code USW/Br       brutzman at nps.edu
Watkins 270,  MOVES Institute, Monterey CA 93943-5000 USA   +1.831.656.2149
X3D graphics, virtual worlds, navy robotics http://faculty.nps.edu/brutzman

_______________________________________________
x3d-public mailing list
x3d-public at web3d.org
http://web3d.org/mailman/listinfo/x3d-public_web3d.org




More information about the x3d-public mailing list