W3C home > Mailing lists > Public > www-ws-arch@w3.org > June 2002

RE: SOAP Confidentiality and Integrity: Next Step?

From: Joseph Hui <Joseph.Hui@exodus.net>
Date: Wed, 19 Jun 2002 21:43:59 -0700
Message-ID: <45258A4365C6B24A9832BFE224837D551D1C5E@SJDCEX01.int.exodus.net>
To: "Krishna Sankar" <ksankar@cisco.com>, <www-ws-arch@w3.org>, <xml-encryption@w3.org>, <www-xkms@w3.org>, <reagle@w3.org>

Krishna,

I'm by no means opposed to Joseph Reagle's proposal or the
formation of a new WS or SOAP security WG, which happens to
be in line with what Dave Orchard and some others were pushing
and receiving pushback.  (I as the sec champion would rather
be as neutral as possible on the issue, and stick with
shepherding the process with technical analysis and clarification
where appropriate.)  There were some concrete steps we were
slated to take in this area as an upshot of the Paris F2F.
For now I'd rather not jump the gun here before Chris the
chair's cue on the matter.

My messages were quite clear and simple, I think: 1) a rebuttal
to Dave Orchard's "observations" and mis-characterization of
the hitherto efforts and accomplishments in the security front
within WSAWG; and 2) a word of caution to arrest a potential
slide into finger pointing.  

Cheers, 

Joe Hui
Exodus, a Cable & Wireless service
=================================================

> -----Original Message-----
> From: Krishna Sankar [mailto:ksankar@cisco.com]
> Sent: Wednesday, June 19, 2002 8:52 PM
> To: www-ws-arch@w3.org; xml-encryption@w3.org; www-xkms@w3.org;
> reagle@w3.org
> Subject: RE: SOAP Confidentiality and Integrity: Next Step?
> 
> 
> 
> Joseph Hui,
> 
> 	I have been observing the WS-Arch security related proceedings
> with interest and concern. On one side we are doing the right
> peer-review and the disciplined-rigorous approach, which is 
> good. OTOH,
> it is a process by a committee, which means we will make some
> compromises and would take time. You know how long we took 
> just to agree
> on definitions.
> 
> 	Usually I do not agree with Dave Orchard that easily, but on
> this occasion I do agree with him. Any W3C effort - as a result of the
> WS-Arch definition in the security arena - would be able to 
> start at the
> earliest by Nov 2002 which means any standard to the CR level would be
> Nov 2003.
> 
> 	From my understanding, what Joseph Reagle is attempting to do (I
> also support him on this) is to achieve a standardized way 
> for integrity
> & confidentiality for SOAP ; I would add the transport of 
> tokens (a.k.a
> SAML assertions, Kerberos Tickets,...) over SOAP as well into this
> effort. This clearly requires a light weight and faster 
> process than the
> yet-to-be-proposed Security initiative by the WS-Arch group. Remember,
> if the question was the other way round - i.e. if we want a security
> architecture for web services that envelopes secure conversation,
> policies, ... (like the security arch paper from IBM et al) my answer
> would be different, in fact opposite !
> 
> 	The proposed mini-group (let us call it SOAP Security WG)
> actually has a lot of synergy with the yet-to-be-proposed WS-Security
> WG. It relieves us - the WS-Arch group of the daily trifles and the
> urgency of defining a short term deliverable (to plug the leaks -
> literally !) and it frees the SOAP Security WG of defining an all
> encompassing comprehensive security architecture. The best of both
> worlds !
> 
> cheers
> 
> 
Received on Thursday, 20 June 2002 00:43:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:25:00 GMT