- From: Joseph Hui <Joseph.Hui@exodus.net>
- Date: Wed, 8 May 2002 08:11:56 -0700
- To: "Dilber, Ayse, ALASO" <adilber@att.com>, <www-ws-arch@w3.org>
Ayse, What you described was entirely different from the intent and rendition of D-AR006.7. You should write up the "new goal" (do you mean req?) to capture the interop aspect that you meant to capture. But I believe interop is already covered in another goal (D-AG001?) Joe Hui Exodus, a Cable & Wireless service =================================================== > -----Original Message----- > From: Dilber, Ayse, ALASO [mailto:adilber@att.com] > Sent: Wednesday, May 08, 2002 6:13 AM > To: Joseph Hui; www-ws-arch@w3.org > Subject: RE: D-AR006.7 discussion points > > > Regarding Joe's comments about AT&T's suggestion, since AT&T > thinks interoperable security framework is very important for > web services, perhaps we need to create a new goal to capture > interoperability. However you want to handle it is OK with > me as long as it is captured, I don't want to loose it. > ayse > > > -----Original Message----- > From: Joseph Hui [mailto:Joseph.Hui@exodus.net] > Sent: Tuesday, May 07, 2002 5:30 PM > To: www-ws-arch@w3.org > Subject: RE: D-AR006.7 discussion points > > > > MSFT: To begin with, this should be called out as at a > > different level of > > abstraction than the first 4 architecturral requirements. > > You meant D-AR006.2 thru D-AR006.5? > > > In addition, > > this is just a web service, of which there will be many > alternatives. > ^^^^ "This" referring to ...? > > > INTEL: Need some explanation about using Public Key > > Encryption (PKE), and not using PKI. > > That would give the chance for some to cry "too detailed, too > mechanismed, too ism'ed ..." Wouldn't it? ;0) > Anyway, PKE is a security primitive for key exchange and digital > signature. PKI is the infrastructure for supporting such practice. > They are not competing candidates. > > > Also, the requirement should have been independent of > > any specific technology such as PKE. > > This sounds politically correct. However, for all practical purpose, > PKE stands out as the most viable technology for key exchange. > > > SYBS: Is it in the charter to identify at such fine grain > technologies > > to be used in Web Services > > I don't think granularity of technologies is at issue with D-AR006.7. > > > W3C: See > http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0019.html > > In or out of scope? I'll leave it to the WG's consensus. > > > PF: I believe it sufficient that we say that public keys > should be used. > > This may come across to some as dictating mechanism. > > > That is very different than saying that PKI should be used. The use > > of public keys does not require PKI. > > D-AR006.7 doesn't say or imply PKI should be used. Note the mention > of KDC there. > > > CrossWeave: This implies an implementation of > authentication, integrity, and/or > > confidentiality. We shouldn't be prescribing implementations. > > I don't understand how C-AR006.7 could be interpreted this way. > > > ATT: AT&T suggests to replace the word "include" with > "INTEROPERABLE" so > > it reads: The security framework must INTEROPERATE with Key > Management, > > pertaining to PKE and KDC > > The suggested replacement sounds awkward to me, e.g. IMO it bends the > statement so out of whack that the original meaning is lost. > >>> What we need is an interoperable framework. Perhaps we > need to define another goal to include the interoperability. > > Joe Hui > Exodus, a Cable & Wireless service >
Received on Wednesday, 8 May 2002 11:12:04 UTC