W3C home > Mailing lists > Public > www-ws-arch@w3.org > May 2002

RE: D-AR006.7 discussion points

From: Joseph Hui <Joseph.Hui@exodus.net>
Date: Wed, 8 May 2002 08:11:56 -0700
Message-ID: <45258A4365C6B24A9832BFE224837D551D1BF6@SJDCEX01.int.exodus.net>
To: "Dilber, Ayse, ALASO" <adilber@att.com>, <www-ws-arch@w3.org>
Ayse,

What you described was entirely different from the intent
and rendition of D-AR006.7.  You should write up the
"new goal" (do you mean req?) to capture the interop
aspect that you meant to capture.  But I believe
interop is already covered in another goal (D-AG001?)

Joe Hui
Exodus, a Cable & Wireless service
===================================================
> -----Original Message-----
> From: Dilber, Ayse, ALASO [mailto:adilber@att.com]
> Sent: Wednesday, May 08, 2002 6:13 AM
> To: Joseph Hui; www-ws-arch@w3.org
> Subject: RE: D-AR006.7 discussion points
> 
> 
> Regarding Joe's comments about AT&T's suggestion, since AT&T 
> thinks interoperable security framework is very important for 
> web services, perhaps we need to create a new goal to capture 
> interoperability.  However you want to handle it is OK with 
> me as long as it is captured, I don't want to loose it.
> ayse
> 
> 
> -----Original Message-----
> From: Joseph Hui [mailto:Joseph.Hui@exodus.net]
> Sent: Tuesday, May 07, 2002 5:30 PM
> To: www-ws-arch@w3.org
> Subject: RE: D-AR006.7 discussion points
> 
> 
> > MSFT: To begin with, this should be called out as at a 
> > different level of
> > abstraction than the first 4 architecturral requirements. 
> 
> You meant D-AR006.2 thru D-AR006.5?
> 
> > In addition,
> > this is just a web service, of which there will be many 
> alternatives.
>   ^^^^ "This" referring to ...?
> 
> > INTEL: Need some explanation about using Public Key 
> > Encryption (PKE), and not using PKI. 
> 
> That would give the chance for some to cry "too detailed, too
> mechanismed, too ism'ed ..."  Wouldn't it? ;0)  
> Anyway, PKE is a security primitive for key exchange and digital
> signature.  PKI is the infrastructure for supporting such practice.
> They are not competing candidates.
> 
> > Also, the requirement should have been independent of 
> > any specific technology such as PKE.
> 
> This sounds politically correct.  However, for all practical purpose,
> PKE stands out as the most viable technology for key exchange.
> 
> > SYBS: Is it in the charter to identify at such fine grain 
> technologies
> > to be used in Web Services
> 
> I don't think granularity of technologies is at issue with D-AR006.7.
> 
> > W3C: See 
> http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0019.html
> 
> In or out of scope?  I'll leave it to the WG's consensus.
> 
> > PF: I believe it sufficient that we say that public keys 
> should be used.
> 
> This may come across to some as dictating mechanism.
> 
> > That is very different than saying that PKI should be used.  The use
> > of public keys does not require PKI.
> 
> D-AR006.7 doesn't say or imply PKI should be used.  Note the mention
> of KDC there.
> 
> > CrossWeave: This implies an implementation of 
> authentication, integrity, and/or
> > confidentiality.  We shouldn't be prescribing implementations.
> 
> I don't understand how C-AR006.7 could be interpreted this way.
> 
> > ATT: AT&T suggests to replace the word "include" with 
> "INTEROPERABLE" so
> > it reads: The security framework must INTEROPERATE with Key 
> Management,
> > pertaining to PKE and KDC
> 
> The suggested replacement sounds awkward to me, e.g. IMO it bends the 
> statement so out of whack that the original meaning is lost.
> >>> What we need is an interoperable framework.  Perhaps we 
> need to define another goal to include the interoperability.
> 
> Joe Hui
> Exodus, a Cable & Wireless service
> 
Received on Wednesday, 8 May 2002 11:12:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:24:59 GMT