Re: SOAP Confidentiality and Integrity: Next Step? from Joseph Reagle on 2002-06-21 (www-ws-arch@w3.org from June 2002)

From: Joseph Reagle <reagle@w3.org>
Date: Fri, 21 Jun 2002 11:19:09 -0400
To: "Donald Adams" <dadams@tibco.com>, "David Orchard" <dorchard@bea.com>, "Krishna Sankar" <ksankar@cisco.com>
Cc: <www-ws-arch@w3.org>
Message-Id: <20020621151909.1C24D85C23@aeon.w3.org>

On Wednesday 19 June 2002 11:52 pm, Krishna Sankar wrote:
> 	From my understanding, what Joseph Reagle is attempting to do (I
> also support him on this) is to achieve a standardized way for integrity
> & confidentiality for SOAP ; I would add the transport of tokens (a.k.a
> SAML assertions, Kerberos Tickets,...) over SOAP as well into this
> effort. This clearly requires a light weight and faster process than the
> yet-to-be-proposed Security initiative by the WS-Arch group. 

Just to clarify I'm not speaking with any W3C authority (if there is such a 
thing <grin/>) nor proposing an extraordinary process. I'm reporting that 
in terms of addressing the short term goal of integrity and confidentiality 
for SOAP, my path has led me to the WS-Arch WG. I'm not dismissing the 
importance of addressing other security components, nor the (difficult) 
task of coming to agreement on a coherent understanding of how these things 
fit together. I *am* saying that I haven't heard that we shouldn't do 
ws-sig-xenc, nor that if started there's a danger it'll conflict with the 
architectural view that will be arrived at. Furthermore, I'm suggesting the 
work might actually help gell a community. For instance, I'm interested in 
some of these issues, particularly ws-sig-xenc, but I'm not on the 
www-ws-arch@w3.org list. If there was a specific Group and list, I probably 
would be. Consequently, at the next face-to-face, maybe one of the days 
should be a security day? Half devoted to ws-sig-xenc and half devoted to 
security architecture. (Maybe a WG/workshop sort of thing in a parallel 
session?) And an effort should be extended to invite folks from the 
relevant security WGs (e.g., W3C, Oasis, IETF). I'd be happy for forward 
such an invitation on to my lists. 

And my final caveat, I'm not advocating that we necessarily need multiple 
representative from every organization to fill the roster of the WS-Arch 
WG. More people makes that work more difficult. But as the WS-Arch WG is 
ready spin-off a security work, some community building might be in order.

Received on Friday, 21 June 2002 11:19:45 UTC