- From: Ashok Malhotra <ashok.malhotra@oracle.com>
- Date: Mon, 14 Mar 2005 12:33:01 -0800
- To: Marc Hadley <Marc.Hadley@Sun.COM>
- CC: Hugo Haas <hugo@w3.org>, public-ws-addressing@w3.org, Rich Salz <rsalz@datapower.com>
> Did you have another group in mind ? There has been talk about starting a Policy WG. > IMO we are defining > addressing and we should also be defining how to secure the > addressing information. I think securing the addressing information has a lot in common woth securing other kinds of information and is orthogonal to the real concerns of the WS-Addressing WG. All the best, Ashok > -----Original Message----- > From: Marc.Hadley@Sun.COM [mailto:Marc.Hadley@Sun.COM] On > Behalf Of Marc Hadley > Sent: Monday, March 14, 2005 11:59 AM > To: Ashok Malhotra > Cc: Hugo Haas; public-ws-addressing@w3.org; Rich Salz > Subject: Re: Proposing a wsa:Security element > > On Mar 14, 2005, at 11:17 AM, Ashok Malhotra wrote: > > > > In my view, all the security information shd be collected > together and > > shd go in the policy sub-bucket of the metadata bucket. > But there are > > many subtleties here depending on which direction the message is > > flowing etc. > > > > I suggest that the WS-Addressing WG not attempt to solve > this problem. > > The existence of a metadata bucket(in place or by > reference) is fine. > > The details shd be left to another WG. > > > Did you have another group in mind ? IMO we are defining > addressing and we should also be defining how to secure the > addressing information. > I'm strongly opposed to this group failing to adequately > address the security implications of our specification so > users have to wait for another WG (in say WS-I) to provide > the necessary information to get secure interoperability. > > Marc. > > > > >> -----Original Message----- > >> From: public-ws-addressing-request@w3.org > >> [mailto:public-ws-addresspendiing-request@w3.org] On > Behalf Of Rich > >> Salz > >> Sent: Monday, March 14, 2005 7:31 AM > >> To: Hugo Haas > >> Cc: public-ws-addressing@w3.org > >> Subject: Re: Proposing a wsa:Security element > >> > >> > >>> Couldn't such information go in the [metadata] bucket? It > >> seems that > >>> we added it for things just like that. > >> > >> Perhaps. If you see my longer note about "trust model," > >> you'll see that we need a way to aggregate a bunch of security > >> information, and make sure it ends up in a WS-Security > element. This > >> may be different from other security information that just > needs to > >> be used between the client and the epr minter (which, I > know, if out > >> of scope; out security model should support some kind of > interaction > >> there, however). > >> > >> Yes, a wsa:Security can go into the metadata bucket. But > saying that > >> all or any ds:Signature, wsse:SecurityTokenReference, > etc., elements > >> get the kind of binding I propsed for wsa:Security, is a mistake. > >> > >> /r$ > >> > >> -- > >> Rich Salz, Chief Security Architect > >> DataPower Technology > >> http://www.datapower.com > >> XS40 XML Security Gateway > >> http://www.datapower.com/products/xs40.html > >> > >> > >> > > > > > > > --- > Marc Hadley <marc.hadley at sun.com> > Web Technologies and Standards, Sun Microsystems. > > >
Received on Monday, 14 March 2005 20:34:21 UTC