1. Web Clients alone needs to be implemented with SSL, so can I assume that Application Client resides inside the firewall so it dosen't need SSL ?
This is also 1 way to give a faster response to the Travel Agent, Also SSL implementation mostly depends upon the Server, should we document this ?
2. To what extent Security needs to be depicited in Component Diagrams ?
I guess thats the only diagram in which we show Security
3. What type of Security needs to be provided for a Travel Agent ?
1) You must use HTTPS
2) No security does not need to be shown at Compoment Diagram, just explain with words, is enough.
3) Every thing is HTTPS, there is no difference between customer and agent.