RE: D-AR006.11 discussion points from Dilber, Ayse, ALASO on 2002-05-06 (www-ws-arch@w3.org from May 2002)

From: Dilber, Ayse, ALASO <adilber@att.com>
Date: Mon, 6 May 2002 10:27:42 -0400
To: "Christopher Ferris" <chris.ferris@sun.com>, "wsawg public" <www-ws-arch@w3.org>
Message-ID: <5C2CE23B27AC4D449F75AFF4560419F6036C6DE5@OCCLUST04EVS1.ugd.att.com>

Chris, AT&T's comments were not included in your summary for goal 6.11.  As indicated in the balloting process AT&T has the following point:
D-AR006.11 the six aspects need to be replaced with the following seven aspects of the security framework: Auditing; Authentication (includes identification and authorization); Access Control (file permission, etc.); Confidentiality; Availability; Integrity; Non-repudiation.
Thanks,
Ayse

-----Original Message-----
From: Christopher Ferris [mailto:chris.ferris@sun.com]
Sent: Saturday, May 04, 2002 10:00 AM
To: wsawg public
Subject: D-AR006.11 discussion points

SUNW: This requirement goes "inside" a web service and places requirements
on how it is designed.  We should be focusing on externally observable
(through the web service interfaces) behaviour

SYBS: Implementation details. Don't seem to fit in Web Services Architecture
group..

W3C: See http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0015.html

ORCL: I don't quite see how "an architecture" can actually provide an
interface. And in this case the goal may be too ambitious given the
number of different possible "infrastructures".

PF: I just don't see the need for this.

TIB: not clear to me that individual Web services would ever want to
know whether they were under DOS at some lower layer

CrossWeave: Don't understand this

CMPQ: The interface is for negotiating services that an infrastructure may
provide to, or perform on behalf of, a requesting Web Services.
Such value-added services may include: security, content delivery,
QoS, etc. For instance, a Web service may instruct (via the interface) the security
agents of its infrastructure to defend against DOS/DDOS attacks on its behalf.

This seems to say that the requirement is
"The security framework must provide for negotiations pertaining to
security considerations."

That is, the requirement is for negotiation support;  within security context,
it is security negotiation, within QoS context, it is QoS negotiation, etc.

Received on Monday, 6 May 2002 10:28:45 UTC