- From: Joseph Hui <Joseph.Hui@exodus.net>
- Date: Wed, 31 Jul 2002 14:02:24 -0700
- To: <www-ws-arch@w3.org>
The STF was recently assigned the tasks to:
1) scope the requirements for the web service security working
group (that had been informally proposed by various parties);
2) recommend the security technologies "to look at;" and
3) develop security usage scenarios.
The first two tasks have concluded, and the third is understood
to have folded into the on-going WG-wide activities in developing
use cases and usage scenarios.
This message opens a public thread covering task 1.
(More separate threads are to be opened for the other task
deliverables on the way.)
(-:
The STF members, with much input from OASIS's liaising representative,
have reached rough conciseness in recommending the following:
1) A specialized security group, in its maximal form a W3C working
group, say "Web Services Security Working Group" (WSSWG),
lesser form a W3C coordination group, minimal form a WSAWG
sub-group, should be formed to provide a security framework
for the Web Services architecture as defined by the WSAWG.
As no other standards bodies share identical vision, goals,
and executions with the W3C, it behooves the W3C to organize
its Web Services Security work under its own auspices (instead
of outsourcing it in entirety to external organizations),
in order to be more effective in matters concerning the
priorities, schedules, methodologies, and qualities for
meeting the WSAWG's security requirements. The security
group will work with the understanding that there are other
standards bodies and private enterprises engaging in similar
pursuits. Hence, it must take care to minimize duplicating
efforts. It should also be mindful of IPR ramifications
in the leverage of existing technologies.
2) The scope of the requirements for the security group
must encompass all requirements stated under the AC006
section of the WSAWG's requirements specification.
It may also include the Privacy requirements stated
under the AC020 section of the same document. It was
the STF's consensus that it remains an open issue
whether Privacy should be included in Security (and
consequently be dealt with by the security group).
3) The security work should be done and delivered in phases
as follows:
Phase 1) Confidentiality, integrity, authentication,
and authorization;
Phase 2) Non-repudiation;
Phase 3) Accessibility; and
Phase 4) Auditing, and Management (i.e. the
management/administrative aspect of security).
Overlaps among phases are possible, but the sense of priority
as indicated by the ordering of the phases above must be
observed.
Note that the phases stated above does not include Privacy.
It is reasonable to presume that even if Privacy is
determined to be in-scope for the security group,
it will probably be done by Privacy experts in a
discrete track (ala AC020), separate from the
conventional security track (ala AC006).
4) The WSAWG should make it a priority to bring closure to specifying
the requirements under AG004. (A message serving such purpose
was sent to the public list few weeks ago, and has received
few feedbacks. A heads-up was given during the 7/25 WSAWG
concall about the STF's intent for a final push.)
CAVEAT EMPTOR:
Due to the dubious "sunshine rules" that call for all WSAWG
task forces' intra-team discussions to be conducted in public,
this STF communique, which should precisely reflect the collective
output of individual mindsets among STF members, has not undergone
any review cycles as of this posting; and is therefore subject
to change without notice. In other words, the above is only a
best-effort attempt in synthesizing diverse inputs from all STF
members; so stay tuned in case of alternation.
:-)
Joe Hui
Exodus, a Cable & Wireless service
Received on Wednesday, 31 July 2002 17:01:30 UTC