W3C home > Mailing lists > Public > www-ws-arch@w3.org > August 2002

[STF] Security Harvesting

From: Joseph Hui <Joseph.Hui@exodus.net>
Date: Thu, 8 Aug 2002 15:52:59 -0700
Message-ID: <45258A4365C6B24A9832BFE224837D551D1D03@SJDCEX01.int.exodus.net>
To: <www-ws-arch@w3.org>

Hi all,

Here's a structure-free compilation of the "security harvesting"
done by Darran and Abbie on behalf of the STF, according to a
sec tech list agreed upon by STF members, for satisfying the
second STF deliverable ("to identify security technologies to
look at"), assigned during the Paris F2F.
Please note that the efforts of the "harvesting" was geared
towards "identifying" the technologies, as opposed to
investigating them, per objective of the assignment, which
emphasized breadth (and not depth).  Thus the format of 
presentation comprises terse descriptions and reference links.
Elaborations will be done on demand, in themed threads, on
one-tech-per-thread basis.  Please also note Darran may in
due time make an ebXML addition.

OASIS WS-Security 
Relevance: SOAP based message integrity, message confidentiality 
and message authentication. 

Status: Substantive initial submission.  V1.0 process begins 
September 14th. 

WS-Security defines a standard for SOAP based message integrity, 
confidentiality and authentication.     WS-Security also defines a 
mechanism for specifying binary encoded security tokens (e.g. X.509 
certificates). These security tokens may then be used independently
or in combination to accommodate a wide variety of security models
and encryption technologies. 


OASIS Security TC - SAML v1.0 
Relevance: SAML defines a standard for exchanging authentication 
and authorization information. 

Status: v1.0 at committee specification.  Expected ratified Q3 2002. 
The SAML specification includes an XML schema that defines SAML 
assertions and protocol messages.  The specification also describes 
methods for binding these assertions to other existing protocols
(http, SOAP) in order to enable additional security functionality. 

Relevance: Secure exchange of Common Biometric Exchange Format Files. 

Status: OASIS standard expected March 2002 
XCBF defines a common set of secure XML encoding for the patron formats 
specified in CBEFF, the Common Biometric Exchange File Format (NISTIR 


OASIS Provisioning TC 
Relevance: Secure XML encoding and exchange protocol for 
provisioning requests. 

Status: OASIS standard expected January 2003. 
The Provisioning TC is defining the Service Provisioning Markup Language 
(SPML).  SPML defines an XML based framework for the exchange of any 
general provisioning requests. 

OASIS Access Control TC 
Relevance: Core XML schema for representing authorization and 
entitlement policies. 

Status: OASIS standard expected October 2002    

XACML will define the representation for rules that specify the who, 
what, when and how of information access. 

OASIS Rights Language TC 
Relevance: XML based rights expression language 

Status: OASIS standard expected October 2002 
The purpose of the Rights Language TC is to define the industry standard 
for a digital rights language that supports a wide variety of business 
models and has an architecture that provides the flexibility to address 
the needs of the diverse communities that have recognized the need for
a rights language.


W3C XML Digital Signatures 
Relevance: message integrity, message confidentiality and message

Status: Good Progress on many drafts 

The mission of this working group is to develop an XML compliant
syntax used for representing the signature of Web resources and
portions of protocol messages (anything referencable by a URI)
and procedures for computing and verifying such signatures.
This is a joint Working Group of the IETF and W3C. W3C is
hosting the email list and WG site publicly in accordance
with IETF procedure. Please see the Charter for further
information on the constitution of this WG. This WG does
not address broader XML security issues including XML
encryption and authorization.

Links: http://www.w3.org/Signature/ 

W3C XML Encryption 
Relevance: content integrity/security 

Status: Good Progress on many drafts 


The mission of this Working Group (WG) is to develop a process
for encrypting/decrypting digital content (including XML documents
and portions thereof) and an XML syntax used to represent the (1)
encrypted content and (2) information that enables an intended
recipient to decrypt it.. Please see the Charter for further
information on the constitution of this WG. This WG does not
address broader XML security issues including XML Signature,
authentication, and authorization.

Links: http://www.w3.org/Encryption/2001/ 


Relevance: protocols for distributing and registering public keys 
Status: In progress 

The mission of this working group is to develop a specification
of XML application/protocol that allows a simple client to obtain
key information (values, certificates, management or trust data)
from a web service.  This specification will be based on the XML
Key Management Specification (XKMS). Please see the Charter for
further information on the constitution of this WG. This WG
does not address broader XML security issues. 

Links: http://www.w3.org/2001/XKMS/ 

W3C SOAP 1.2 

Relevance: message integrity, message confidentiality and message authentication 
Status: In progress 

SOAP Version 1.2 is a lightweight protocol intended for exchanging structured
information in a decentralized, distributed environment. "Part 1: Messaging
Framework" defines, using XML technologies, an extensible messaging framework
containing a message construct that can be exchanged over a variety of
underlying protocols.

Links: http://www.w3.org/2000/xp/Group/ 

DMTF - General 
Relevance: Management standards for distributed systems 
Status: In progress 


* To lead the development of management standards for distributed desktop,
  network, enterprise and Internet environments

* DMTF goals 
Accelerate adoption 
Unify management initiatives 
Promote interoperability 
Move quickly in the new age 
Raise the bar for management 

Links: http://www.dmtf.org/ 


Relevance: connection-oriented, asynchronous interactions 
Status: RFC 3080 

Generic application protocol kernel for  connection-oriented,
asynchronous interactions. 

Links: http://www.ietf.org/rfc/rfc3080.txt 


Relevance: authentication, protocols 
Status: In progress 

IKE work is performed at the IETF in IPSec WG. 

Links: http://www.ietf.org/html.charters/ipsec-charter.html 

IPSec - IP Security (IETF)
Relevance: Defines IP level security.  Provides
encryption and integrity for IP packets.

Status: Complete

IETF defines IPSEC as the mechanisms to protect the client protocols
of IP. It defines a security protocol in the network layer that
provides cryptographic security services that flexibly support
combinations of authentication, integrity, access control, and

Links: http://www.ietf.org/html.charters/ipsec-charter.html

TLS - Transport Layer Security (IETF)
Relevance: Provides encryption, authentication and integrity over data streams 

Status: IETF draft RFC2246

The primary goal of the TLS Protocol is to provide privacy and data integrity
between two communicating applications. The protocol is composed of two layers:
the TLS Record Protocol and the TLS Handshake protocol.


Relevance: Authentication protocol

Status: IETF RFC1510

Kerberos is a network authentication protocol. It is designed to provide
strong authentication for client/server applications by using secret-key


IETF  Public-Key Infrastructure (X.509) (pkix)
Relevance: Certificate, Certificate  Management,  Certificate  Management Protocol
Status: In progress
IETF WG that focus on developing Internet standards needed to support an
X.509-based PKI. The scope of PKIX work has expanded beyond this initial
goal. PKIX not only profiles ITU PKI standards, but also develops new
standards apropos to the use of X.509-based PKIs in the Internet.
Links:  http://www.ietf.org/html.charters/pkix-charter.html 
SASL: Simple Authentication and Security Layer
Relevance:       authentication support to connection-based protocols
Status: RFCs
SASL is the Simple Authentication and Security Layer, a method for
adding authentication support to connection-based protocols. To use
SASL, a protocol includes a command for identifying and authenticating
a user to a server and for optionally negotiating protection of
subsequent protocol interactions. If its use is negotiated, a
security layer is inserted between the protocol and the connection. 

Links: http://asg.web.cmu.edu/sasl/sasl-ietf-docs.html
Relevance:       credential export/import 
Status: In progress, RFCs
Focuses on portability of the user's credentials.
Links: http://www.ietf.org/html.charters/sacred-charter.html
Relevance:       Mail Security
Status: In progress
The S/MIME Working Group has completed five Proposed Standards that
comprise the S/MIME version 3 specification. Current efforts build
on these base specifications.
Current focus is on developing informational document will be prepared
describing techniques that can be used to avoid small subgroup attacks.
Work on interoperability of  the Cryptographic Message Syntax (CMS) is
cryptographic algorithm is under way.
Links: http://www.ietf.org/html.charters/smime-charter.html


Joe Hui
Exodus, a Cable & Wireless service
Received on Thursday, 8 August 2002 18:52:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:40:58 UTC