At the November 24th ROA technical meeting the discussion came up of why some web services are not being registered. We mostly considered web services that might provide access to sensitive data such as student records, but also web services that were only designed for internal departmental. Ultimately we came to the conclusion that ALL web services that provide access to UW data (short of Oren’s blog and other personal blogs¦sorry Oren) should be added to the web service registry.
The argument that a service should not be registered because it exposes data is weak argument; security by obscurity (http://en.wikipedia.org/wiki/Security_through_obscurity) is no real security. As for the argument that the service shouldn’t be registered because it was designed for use internal to a department, that doesn’t mean that there might be some external use for the service or that the service might inspire a similar service in another department.
This definition of what should go in the registry should go beyond just web services designed to provide controlled access to some database, but could include RSS or Atom feeds to departmental news letters or event calendars.
We came up with 3 primary reasons:
- Prevent duplicate services from being created; currently there are countless shadow databases across campus, we wouldn’t want this trend to continue with web services.
- There might be a use for a service that the owner never envisioned (serendipity)
- The registry provides a central location for documenting the owners of the services should they ever need to be notified (i.e. some new exploit to HTTP is discovered).
Although personal blogs should be excluded from the registry, we decided that RSS feeds that provide access to things like departmental newsletters and departmental event calendars should be added to it. We also wanted to make sure that it was understood that UW Data included both institution and departmental data. If the work was put into exposing a service it should be added to the registry.
There was a concern about advertising some services on the registry due to the fact that they might provide access to sensitive data, or that advertising a service might open it up to a denial of services attack. To alleviate this concern we thought that it would be useful to add the ability to add something like a checkbox to the registry that allows the endpoints of these services to be listed as unpublished If web service owners are allowed to list their service endpoints as unpublished there is no reason not to list all services on the registry.
We did note that ultimately the final decision to list a service on the registry is in the hands of whoever is the custodian of the data that is being exposed.
This was what the ROA Technical Committee thought, what do you think? Should all services be added to the registry?