W3C home > Mailing lists > Public > www-ws-arch@w3.org > June 2002

RE: SOAP Confidentiality and Integrity: Next Step?

From: Cutler, Roger (RogerCutler) <RogerCutler@chevrontexaco.com>
Date: Thu, 20 Jun 2002 08:26:52 -0700
Message-ID: <7FCB5A9F010AAE419A79A54B44F3718E7C9471@bocnte2k3.boc.chevrontexaco.net>
To: "'David Orchard'" <dorchard@bea.com>, reagle@w3.org, "'Krishna Sankar'" <ksankar@cisco.com>
cc: www-ws-arch@w3.org

For what it is worth, I support the "accelerated" approach ("damn the
torpedoes", or whatever you said) to getting a security WG charter out.
Hopefully if work on the architecture and the charter are proceding in
parallel, by the time the charter actually gets out the door there will be
enough feedback from the architecture side to make people more comfortable.

A LOT of people, in and out of the W3C, are waiting very impatiently for
this work to get done.  Or even started.

-----Original Message-----
From: David Orchard [mailto:dorchard@bea.com] 
Sent: Wednesday, June 19, 2002 3:19 PM
To: reagle@w3.org; 'Krishna Sankar'
Cc: www-ws-arch@w3.org
Subject: RE: SOAP Confidentiality and Integrity: Next Step?





> -----Original Message-----
> From: www-ws-arch-request@w3.org [mailto:www-ws-arch-request@w3.org]On
> Behalf Of Joseph Reagle
> Sent: Wednesday, June 19, 2002 11:41 AM
> To: Krishna Sankar; www-ws-arch@w3.org
> Subject: Re: SOAP Confidentiality and Integrity: Next Step?
>
>

<snip/>
> > 	Another question is the formation process - what do we do or more 
> > precisely where do we start ? In [2] you were suggesting 
> > evangelizing/influencing the WS-Arch group. From what I
> read, in this
> > e-mail your thoughts are to form a focused WG but still a
> W3C wg. One of
> > the concerns I have is the 12-15 months it takes to initiative and 
> > deliver a standard from W3C. I am appreciative of and
> support the peer
> > review and the rigor the W3C process brings into a domain.
> But could we
> > have a light-weight, accelerated process for W3C standards
> ? May be this
> > is a good time to test this. May be we need a process to deliver 
> > something between an amorphous note and a definitive W3C standard.
>
> Those discussions do occur, but I suggest that if one wants to move 
> quickly on this topic one builds the community under the shelter of a 
> charter (which gives the means of saying "no" and takes care of 
> intellectual monopoly issues (copyright, patent)) and get going. There 
> are specs out
> there that you can use now. If you want the peer review, the
> dependency
> management, the IPR safety, etc., it takes time.

The WSArch wg has decided to form subteams on security and on architecture
documents, and a schedule that says there will be an arch doc and
requirements portion of a charter in 4-5 weeks.  We've started usage
scenarios for authentication, integrity and confidentiality, though they
aren't yet in the usage scenarios doc.   There are some high level
requirements around security, and agreed to authentication, integrity and
confidentiality for the first cut at a charter.

I don't know what the schedule is for final wg formation, assuming that that
schedule was met.  I think the process is arch produces reqs, then wsa cg
produces charter, w3c team produces charter for ac vote, 4 week ac vote,
w3ct decides on wg and announces.  That seems like at least a 2 month
process, which would start in september given the august break.  So I guess
the earliest for wg formation would be early November.  IMO, I have
reservations about both those schedules (end of july for reqs, November for
wg formation), but again that's just my opinion.

On to more of a personal opinion...

As a member of the ws-arch that has been probably the loudest proponent of
the "damn the torpedoes and ship a security wg charter before we even do an
arch document" aka "time to market" approach aka "accelerated process" [1],
[2], [3], I would say that the WG is generally reticent of that approach.
There has been continued pushback in the group about needing a more detailed
architectural or other documents with varied coverage of principles, goals,
critical success factors, use cases, relationship to semantic web, and more
functional areas before doing security.  I did support Joseph's earlier
attempts at getting this work going in a more informal mechanism.  I also
volunteered to write/edit whatever the group wanted in terms of architecture
material, requirements, scenarios, etc. to expedite forming a security wg.

So I'm certainly disappointed that we've been going for over 4 months, and
we haven't talked about a single specific security requirement (like:
encrypt attachments, entire messages only, soap bodies? which kinds of
authentication tokens to support?  Should there be a processing model for
encryption/signing described and interchanged? etc.).

At some point, if the group does not want to move quickly on an area, that's
it's choice (whether explict or not) and part of the price of consensus.
Analogies of pushing rope come to mind ;-)

I hope this helps with an understanding of where the ws-arch group is wrt
security, and as well as some personal observations on how we got to where
we are.

Cheers,
Dave

[1] http://lists.w3.org/Archives/Public/www-ws-arch/2002Mar/0172.html
[2] http://lists.w3.org/Archives/Public/www-ws-arch/2002Mar/0300.html
[3] http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0097.html
Received on Thursday, 20 June 2002 11:33:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:25:00 GMT