W3C home > Mailing lists > Public > www-ws-arch@w3.org > July 2002

[STF] WS Sec Group Scoping

From: Joseph Hui <Joseph.Hui@exodus.net>
Date: Wed, 31 Jul 2002 14:02:24 -0700
Message-ID: <45258A4365C6B24A9832BFE224837D5523BC6B@SJDCEX01.int.exodus.net>
To: <www-ws-arch@w3.org>

The STF was recently assigned the tasks to:

   1) scope the requirements for the web service security working
      group (that had been informally proposed by various parties);

   2) recommend the security technologies "to look at;" and

   3) develop security usage scenarios.

The first two tasks have concluded, and the third is understood
to have folded into the on-going WG-wide activities in developing
use cases and usage scenarios.

This message opens a public thread covering task 1.
(More separate threads are to be opened for the other task
deliverables on the way.)

(-:

The STF members, with much input from OASIS's liaising representative,
have reached rough conciseness in recommending the following:

  1) A specialized security group, in its maximal form a W3C working
     group, say "Web Services Security Working Group" (WSSWG),
     lesser form a W3C coordination group, minimal form a WSAWG
     sub-group, should be formed to provide a security framework
     for the Web Services architecture as defined by the WSAWG.
     As no other standards bodies share identical vision, goals,
     and executions with the W3C, it behooves the W3C to organize
     its Web Services Security work under its own auspices (instead
     of outsourcing it in entirety to external organizations),
     in order to be more effective in matters concerning the
     priorities, schedules, methodologies, and qualities for
     meeting the WSAWG's security requirements.  The security
     group will work with the understanding that there are other
     standards bodies and private enterprises engaging in similar
     pursuits.  Hence, it must take care to minimize duplicating
     efforts.  It should also be mindful of IPR ramifications
     in the leverage of existing technologies.

  2) The scope of the requirements for the security group
     must encompass all requirements stated under the AC006
     section of the WSAWG's requirements specification.
     It may also include the Privacy requirements stated
     under the AC020 section of the same document.  It was
     the STF's consensus that it remains an open issue
     whether Privacy should be included in Security (and
     consequently be dealt with by the security group).

  3) The security work should be done and delivered in phases
     as follows:

        Phase 1) Confidentiality, integrity, authentication,
                 and authorization;

        Phase 2) Non-repudiation;

        Phase 3) Accessibility; and

        Phase 4) Auditing, and Management (i.e. the
                 management/administrative aspect of security).

     Overlaps among phases are possible, but the sense of priority
     as indicated by the ordering of the phases above must be
     observed.

     Note that the phases stated above does not include Privacy.
     It is reasonable to presume that even if Privacy is
     determined to be in-scope for the security group,
     it will probably be done by Privacy experts in a
     discrete track (ala AC020), separate from the
     conventional security track (ala AC006).

  4) The WSAWG should make it a priority to bring closure to specifying
     the requirements under AG004.  (A message serving such purpose
     was sent to the public list few weeks ago, and has received
     few feedbacks.  A heads-up was given during the 7/25 WSAWG
     concall about the STF's intent for a final push.)

CAVEAT EMPTOR:
  Due to the dubious "sunshine rules" that call for all WSAWG
  task forces' intra-team discussions to be conducted in public,
  this STF communique, which should precisely reflect the collective
  output of individual mindsets among STF members, has not undergone
  any review cycles as of this posting; and is therefore subject
  to change without notice.  In other words, the above is only a
  best-effort attempt in synthesizing diverse inputs from all STF
  members; so stay tuned in case of alternation.

:-)

Joe Hui
Exodus, a Cable & Wireless service
Received on Wednesday, 31 July 2002 17:01:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:25:03 GMT