[W3-WSAWG] WS-Arch Requirements

Hi Daniel,

Looking at the calendar, I think the WG will be well served to take
the cues from you the other day and again from Mike today to start
something on the requirements.

First of all, have you editor folks decided on how the requirements
be organized? E.g. are we to group them by categories, say: 
General (WSAGenReqxxx), Security (WSASecReqxxx),
Messaging (WSAMsgReqxxx), etc?

Separate from whatever you might have already made requirements of
using the WS properties I listed in
http://lists.w3.org/Archives/Public/www-ws-arch/2002Feb/0154.html ,
I've got a few more strawmen to start some Req Def fire.  I've taken
care to keep them dry (thus more flammable ;-) and shall embellish
on demand.  (Please feel free to retag the req IDs as you see fit
to jive with your doc style.)

Here they go.


General

WSAGenReq0xx

  [UDI, XML, Standardized API, D&D, etc.  
   You've got them already, right?]

WSAGenReq011
  The architecture MUST provide an interface for web services to
  directly communicate with their underlying infrastructure.

  The interface is for negotiating services that an infrastructure
  may provide to, or perform on behalf of, a requesting web services.
  Such value-added services may include: security, content delivery,
  QoS, etc.  For instance, a web service may instruct (via the
  interface) the security agents of its infrastructure to defend
  against DOS/DDOS attacks on its behalf.
  
  See also WSASecReq001.


Security

There are six aspects in the security framework for web services
architecture: Accessibility, Authentication, Authorization,
Confidentiality, Integrity, and Non-repudiation.  Together they
form the foundation for secure web services.

WSASecReq001
  Accessibility to a web service can be impaired by DOS/DDOS attacks.
  It is understood that there's little a web service residing well
  above the transport layer of a network stack can effectively detect
  such transgression, let alone deploy countermeasures.
  Therefore, the security framework MUST provide recourse for
  web services to mitigate the hazard.

  See also WSAGenReq00x.

  <!--
   In the "security completeness" thread, someone, sorry I forgot who,
   had stated that we should include Accessibility in WS security, and
   I suggested we should do the "five" and treat Accessibility only in
   the form of Security Consideration.  Come to think of it, we may as
   well go for broke and do them all in full.
  -->

WSASecReq002.1
  The security framework MUST include Authentication for the identities
  of communicating parties.

WSASecReq002.2
  The security framework MUST include Authentication for data (sent and
  received by communicating parties).

WSASecReq003
  The security framework MUST include Authorization, with allowance
  for the coexistence of dissimilar authorization models.

WSASecReq004
  The security framework MUST include Confidentiality.

WSASecReq005
  The security framework MUST include (data) Integrity.

WSASecReq006
  The security framework MUST include Non-repudiation between
  transacting parties.

  Note that there is a close relationship among WSASecReq002.1,
  WSASecReq002.2, WSASecReq005, and WSASecReq006, a la digital
  signature.

WSASecReq007
  The security framework MUST include Key Management, pertaining
  to Public Key Encryption (PKE) and Key Distribution Center (KDC).

WSASecReq008
  The security framework document SHOULD provide some guidelines for
  securing private keys, though the methods for securing private
  keys is outside the scope of the architecture.

WSASecReq009
  The security framework document SHOULD recommend a baseline for
  trust models.

Regards,

Joe Hui
Exodus, a Cable & Wireless service

Received on Tuesday, 5 March 2002 14:07:26 UTC