RE: D-AC006.2 discussion points from Joseph Hui on 2002-05-07 (www-ws-arch@w3.org from May 2002)

From: Joseph Hui <Joseph.Hui@exodus.net>
Date: Tue, 7 May 2002 15:55:47 -0400 (EDT)
To: <www-ws-arch@w3.org>
Message-ID: <45258A4365C6B24A9832BFE224837D551D1BEA@SJDCEX01.int.exodus.net>

> -----Original Message-----
> From: Christopher Ferris [mailto:chris.ferris@sun.com]
> Sent: Saturday, May 04, 2002 6:53 AM
> To: www-ws-arch@w3.org
> Subject: D-AC006.2 discussion points
> 
> MSFT: The W3C is not an articulator of security policies, but 
> rather an
> articulator of languages and protocols in which such policies can be
> stated and by which such policies can be enforced.

The crux of matter remains to be whether WSAWG's WS architecture
should entertain the notion of security policies as the "unit
of reference" (for the lack of a better term at the moment)
for implementing secure Web Services.

> SAG: More substantially, this seems awfully ambitious for a reference
> architecture; we need to identify the architectural 
> components responsible
> for enforcing security policies, and perhaps setup a working 
> group chartered
> to define the mechanisms to counter and mitigate the security hazards.

Probably.

> SUNW: WSAWG's responsibility is not to develop these, but to 
> outline and scope them for a new WG to take on as a deliverable.

Again, probably.  At some point we may have to decide when,
what, where, who, and how to punt WSSec from this group.

> SYBS: I think we may come up with model which will allow
> people to establish security policies across
> web service invocations, but not sure if we would come
> up with a set of security policies to be supported
> by an architecture.

Someone has to.

> W3C: See 
> http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0011.html

Yes, the intermediary step is necessary so the security model will
be built directly upon sec policies instead of sec threats.

> PF: I don't believe it is a required part of a reference architecture to
> solve all identifiable security problems. 

Maybe not, as you said.  OTOH, it's up to this WSAWG's consensus
to decide how far we would go on behalf of the public.

> Vendors might want to
> differentiate their products based on their security solutions, while
> remaining interoperable with other products.

Indeed.  How such solutions are built, sold and bought, will be
guided by individual sec policies though.  

> CrossWeave: I think we should provide security mechanisms for
> combating threats, but should leave the policies up to implementations.

It was established that WSAWG doesn't do mechanisms.

Joe Hui
Exodus, a Cable & Wireless service

Received on Tuesday, 7 May 2002 16:40:04 UTC