Re: public-wsawg-security-tf - where to start from Francis McCabe on 2003-03-24 (public-wsawg-security-tf@w3.org from March 2003)

From: Francis McCabe <fgm@fla.fujitsu.com>
Date: Mon, 24 Mar 2003 15:34:10 -0800
To: "Abbie Barbir" <abbieb@nortelnetworks.com>
Cc: "Edgar, Gerald" <gerald.edgar@boeing.com>, public-wsawg-security-tf@w3.org
Message-Id: <1D3EDA6C-5E51-11D7-8DE2-000393A3327C@fla.fujitsu.com>
Abbie:
   If you provide a draft, I'll undertake to have a go at refactoring it 
to `fit' with the architecture style.
Frank

On Monday, March 24, 2003, at 01:07  PM, Abbie Barbir wrote:

> Hello again,
>
> Moving forward on the security issues and working with francis 
> recommendation, we need to jumop start the work ASAP.
>
> At this stage, I will suggest the following:
>
> 1. We need a section that discuss the need for security. This can 
> address all the issues from the architecture prospective. In the 
> section we will state the following:
>
> a. security is a feature that could be intgerated in the architecture.
> b. Point the fact that it is deployment related and that it should be 
> part of an overall security frame work for the adopters.
>
> c. Point to work that is being done to achoive that (OASIS, etc.)
> d. State that some recommendation will be spec and others will not, 
> and the adopter should keep track of that.
>
> This shouls be done in about two pages.
>
> I will start the process early next week and pass the draft to you for 
> your feedback.
>
> Please let me know if u have any problems with that. Of course any 
> help will be appreciated.
>
>
>
> Thanks
>
> Abbie
>
>
>
> > -----Original Message-----
> > From: Francis McCabe [mailto:fgm@fla.fujitsu.com]
> > Sent: Wednesday, March 19, 2003 12:37 PM
> > To: Barbir, Abbie [CAR:1A00:EXCH]
> > Cc: Edgar, Gerald; public-wsawg-security-tf@w3.org
> > Subject: Re: public-wsawg-security-tf - where to start
> >
> >
> > Hi Abbie:
> >    I think that you are still over estimating the effort involved.
> >
> >    If you think of the WSA as a framework architecture rather than a
> > specific implementation arch, then all that is really required is to
> > establish the key `entry points' that are necessary; and potentially
> > point to the more specific specs.
> >
> >    E.g., I doubt v. much that we need to investigate the presence or
> > lack of support for security in WSDL.
> >
> > Really, the question that needs to be answered is:
> >
> > How does the WSA account for security
> >
> > The answer is going to be a combination of two things:
> >
> > the key concepts needed for security and a pointer to a more detailed
> > spec.
> >
> > This is both easier and harder than dumping a list of
> > specifics; easier
> > because there should be less typing, harder because getting the right
> > key is difficult.
> >
> > Frank
> >
> > On Tuesday, March 18, 2003, at 04:29  PM, Abbie Barbir wrote:
> >
> > > Gerald, and all,
> > >
> > > HI,
> > >
> > > I have been on the road with no e-mail access.
> > > OK,
> > > for the thursday meeting and the rest of the road map, here
> > is what i
> > > think we should do to the archtec draft.
> > > 1. we should add a security section. the section will
> > consist of the
> > > following
> > > a- basic security objectives, basically on my slides are the
> > > Authentication authorization, etc..
> > > b- next we list the avilable techniques that are being standarized
> > > today. we may even mention the techniques that are on the
> > wish list in
> > > OASIS and other SDO.
> > >
> > > The general approach will be the following:
> > > 1. privacu issues (human behaior as opposed to data) is out of 
> scope
> > > of our work.
> > > 2. need to mention that security is basically afeature, it be taken
> > > into consideration the design of web serv ices. the
> > approach should ne
> > > compatible with the enterprize (or company security policy). wsa
> > > security adds an extra dimension, and is part of the
> > overall secuiryt.
> > >
> > > 3, we need to see if the wsa architecture has any mnajor
> > misaalignment
> > > with the arcitecture that SAML, XKMS, etc that are based on, if yes
> > > (which I doubt) need to alighn the delta and decide if the approach
> > > work or not.
> > >
> > > 4. Need to see if SOAP security thorug WS-Security is applicable or
> > > not (ANy major issues with what URI defines or not).
> > >
> > > 5. Need to see if we need any requirements on WSDL, such as
> > > specifiying security as a feature or not.
> > > 6. Need to adress ws-policy, ws-privacy, ws-routing, etc.
> > > 7. how does security relates to chroeography. what do we need to
> > > mention there.
> > >
> > >
> > > This is a good starting point for discussion, so please respond.
> > >
> > > I will be on the plane friday.
> > > Gerald, if this e-mail does not make it to the list can u please 
> fwd
> > > it.
> > >
> > >
> > > abbie
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Edgar, Gerald [mailto:gerald.edgar@boeing.com]
> > > > Sent: Tuesday, March 18, 2003 11:14 AM
> > > > To: Barbir, Abbie [CAR:1A00:EXCH]
> > > > Subject: RE: public-wsawg-security-tf - where to start
> > > >
> > > >
> > > > There has not been much activity yet. are we going to have
> > > > teleconference meetings that we can get going? your
> > presentation on
> > > > web services security is a start, my diagrams are another
> > cut. What
> > > > will our next steps be?
> > > >
> > > > Gerald
> > > >
> > >
> >
> >
>
Received on Monday, 24 March 2003 18:34:37 UTC