RE: D-AR006.7 discussion points from Dilber, Ayse, ALASO on 2002-05-08 (www-ws-arch@w3.org from May 2002)

From: Dilber, Ayse, ALASO <adilber@att.com>
Date: Wed, 8 May 2002 09:12:54 -0400
To: "Joseph Hui" <Joseph.Hui@exodus.net>, <www-ws-arch@w3.org>
Message-ID: <5C2CE23B27AC4D449F75AFF4560419F60377846F@OCCLUST04EVS1.ugd.att.com>

Regarding Joe's comments about AT&T's suggestion, since AT&T thinks interoperable security framework is very important for web services, perhaps we need to create a new goal to capture interoperability.  However you want to handle it is OK with me as long as it is captured, I don't want to loose it.
ayse

-----Original Message-----
From: Joseph Hui [mailto:Joseph.Hui@exodus.net]
Sent: Tuesday, May 07, 2002 5:30 PM
To: www-ws-arch@w3.org
Subject: RE: D-AR006.7 discussion points

> MSFT: To begin with, this should be called out as at a 
> different level of
> abstraction than the first 4 architecturral requirements. 

You meant D-AR006.2 thru D-AR006.5?

> In addition,
> this is just a web service, of which there will be many alternatives.
  ^^^^ "This" referring to ...?

> INTEL: Need some explanation about using Public Key 
> Encryption (PKE), and not using PKI. 

That would give the chance for some to cry "too detailed, too
mechanismed, too ism'ed ..."  Wouldn't it? ;0)  
Anyway, PKE is a security primitive for key exchange and digital
signature.  PKI is the infrastructure for supporting such practice.
They are not competing candidates.

> Also, the requirement should have been independent of 
> any specific technology such as PKE.

This sounds politically correct.  However, for all practical purpose,
PKE stands out as the most viable technology for key exchange.

> SYBS: Is it in the charter to identify at such fine grain technologies
> to be used in Web Services

I don't think granularity of technologies is at issue with D-AR006.7.

> W3C: See http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0019.html

In or out of scope?  I'll leave it to the WG's consensus.

> PF: I believe it sufficient that we say that public keys should be used.

This may come across to some as dictating mechanism.

> That is very different than saying that PKI should be used.  The use
> of public keys does not require PKI.

D-AR006.7 doesn't say or imply PKI should be used.  Note the mention
of KDC there.

> CrossWeave: This implies an implementation of authentication, integrity, and/or
> confidentiality.  We shouldn't be prescribing implementations.

I don't understand how C-AR006.7 could be interpreted this way.

> ATT: AT&T suggests to replace the word "include" with "INTEROPERABLE" so
> it reads: The security framework must INTEROPERATE with Key Management,
> pertaining to PKE and KDC

The suggested replacement sounds awkward to me, e.g. IMO it bends the 
statement so out of whack that the original meaning is lost.
>>> What we need is an interoperable framework.  Perhaps we need to define another goal to include the interoperability.

Joe Hui
Exodus, a Cable & Wireless service

Received on Wednesday, 8 May 2002 09:13:47 UTC