W3C home > Mailing lists > Public > www-ws-arch@w3.org > March 2002

RE: D-AG006 Security

From: Joseph Hui <jhui@digisle.net>
Date: Fri, 8 Mar 2002 18:19:12 -0800
Message-ID: <C153D39717E5F444B81E7B85018A460B081B2738@ex-sj-5.digisle.com>
To: "Krishna Sankar" <ksankar@cisco.com>, <www-ws-arch@w3.org>
> -----Original Message-----
> From: Krishna Sankar [mailto:ksankar@cisco.com]
[snip]
>  | 2. You have described the techniques one may use to secure
>  | *any* web service usage scenario. It would be useful to see 
>  | whether there are categories of usage scenarios where some 
>  | specific combination of techniques will make sense. For 
>  | example, should accessing a "weather info service," be 
>  | secured using authorization, authentication? Should the 
>  | weather info be ensured to be authentic and unaltered?
>  | Same questions for sending in a bill payment to a bank from
>  | a customer. If there are many categories, then we may see
>  | how to satisfy all of them in a generic way. Alternately,
>  | we may suggest techniques that may be generically adopted.
>  | 
> <KS>
> 	I do not think we should get into this. For example we could
> describe security 1-10 or weak, medium or strong or ... Again the
> relative strengths or other similar grading attributes are domain
> specific i.e. a weak authC in one domain might be the 
> strongest authC in
> another domain.
>
> 	IMHO, we would define and identify the various mechanisms and
> leave the interpretations to the domains/applications.

Agreed.  The WS-Arch doesn't do mechanisms, where vendors can max
out their ingenuities to differentiate their products.

Joe Hui
Exodus, a Cable & Wireless service
Received on Friday, 8 March 2002 21:19:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:24:56 GMT