RE: D-AG006 Security from Anne Thomas Manes on 2002-05-08 (www-ws-arch@w3.org from May 2002)

From: Anne Thomas Manes <anne@manes.net>
Date: Wed, 8 May 2002 18:32:01 -0400
To: "David Orchard" <dorchard@bea.com>, "'Mark Baker'" <distobj@acm.org>, "'Darran Rolls'" <Darran.Rolls@waveset.com>
Cc: "'Dilber, Ayse, ALASO'" <adilber@att.com>, "'Joseph Hui'" <Joseph.Hui@exodus.net>, "'Edgar, Gerald'" <gerald.edgar@boeing.com>, "'Abbie Barbir'" <abbieb@nortelnetworks.com>, "'Allen Brown'" <allenbr@microsoft.com>, <www-ws-arch@w3.org>
Message-ID: <CJEIKEMEBAONGDDNLEKFEEPIEDAA.anne@manes.net>

Agreed, although SAML and XACML artifacts are simply security tokens (a more
generic term than credentials), so as long as we define a standard mechanism
to pass security tokens, I'll be happy. But we're talking mechanics rather
than requirements.

The requirements that I'd like to see addressed are message integrity,
authentication, authorization, confidentiality, and trust model description.
I believe that Ayse also wants to include auditing in the list. It sounds as
if you would prefer to exclude authorization and auditing.

I'd be most pleased to use WS-Security as a starting point, but I realise
that it may not be available to us to use. Mark implied that he thought that
we really didn't need a WG. I was simply trying to point out that although a
*bunch* of security standards exist, they don't *in their current form*
fulfill the needs of Web services security. The only spec that I've seen so
far that begins to address the needs of Web services security is
WS-Security. Hence the need to launch this group.

Anne

> -----Original Message-----
> From: www-ws-arch-request@w3.org [mailto:www-ws-arch-request@w3.org]On
> Behalf Of David Orchard
> Sent: Wednesday, May 08, 2002 5:36 PM
> To: 'Anne Thomas Manes'; 'Mark Baker'; 'Darran Rolls'
> Cc: 'Dilber, Ayse, ALASO'; 'Joseph Hui'; 'Edgar, Gerald'; 'Abbie
> Barbir'; 'Allen Brown'; www-ws-arch@w3.org
> Subject: RE: D-AG006 Security
>
>
> Anne,
>
> Could you live with doing message integrity, authentication (credential
> exchange), confidentiality, trust model description as our first security
> WG, with a plan to do the SAML/XACML artifact passing in a second version?
> This seems to be a great 80/20 point for our first cut at
> requirements, and
> is what I proposed a few (many?) emails ago.
>
> Agreed that WS-Security may be a good start.  I'm not as worried about the
> fact that it's not a standard, but more whether msft/ibm/verisign want to
> suggest ws-security be used.  They may have IPR concerns with W3C
> IP policy.
> I figure we get the security wg going, and then ask the WG to evaluate the
> best solutions available for it's use.  If WS-Security isn't
> available, then
> it may have to create something different, but hopefully that
> won't happen.
>
> Cheers,
> Dave
>
> > -----Original Message-----
> > From: www-ws-arch-request@w3.org [mailto:www-ws-arch-request@w3.org]On
> > Behalf Of Anne Thomas Manes
> > Sent: Wednesday, May 08, 2002 2:29 PM
> > To: Mark Baker; Darran Rolls
> > Cc: Anne Thomas Manes; David Orchard; Dilber, Ayse, ALASO; Joseph Hui;
> > Edgar, Gerald; Abbie Barbir; Allen Brown; www-ws-arch@w3.org
> > Subject: RE: D-AG006 Security
> >
> >
> > Mark,
> >
> > The problem does not already have a solution. There are a number of
> > standards that will be cited by this working group (XML Signature, XML
> > Encryption, XKMS, SAML, XACML, etc.), but there's no standard
> > that ties
> > these standards to Web services and SOAP. We need a standard
> > that defines
> > how to sign all or part of a SOAP message, how to represent the XML
> > signature in a SOAP message, how to obtain the keys necessary
> > to decrypt the
> > message, how to pass credentials in a SOAP message, and how
> > to represent
> > credential delegation in a SOAP message, etc., etc.. The best
> > specification
> > at our disposal is IBM/Microsoft/Verisign's WS-Security, but
> > it isn't a
> > standard. And it doesn't talk about how to pass SAML
> > assertions or XACML
> > policies in a SOAP message. It doesn't tie in XKMS. That's
> > why we need a
> > working group.
> >
> > Anne
> >
> > > -----Original Message-----
> > > From: www-ws-arch-request@w3.org
> > [mailto:www-ws-arch-request@w3.org]On
> > > Behalf Of Mark Baker
> > > Sent: Wednesday, May 08, 2002 4:26 PM
> > > To: Darran Rolls
> > > Cc: Mark Baker; Anne Thomas Manes; David Orchard; Dilber,
> > Ayse, ALASO;
> > > Joseph Hui; Edgar, Gerald; Abbie Barbir; Allen Brown;
> > www-ws-arch@w3.org
> > > Subject: Re: D-AG006 Security
> > >
> > >
> > > On Wed, May 08, 2002 at 02:12:27PM -0500, Darran Rolls wrote:
> > > > Sounds like a potential part of the charter wording
> > "ensuring reuse of
> > > > existing web service security standards..."
> > >
> > > That would be good too, in case we miss any.  But do we really want
> > > to charter a WG only to find out that the problem already has a
> > > solution?
> > >
> > > As I said on our very first call, I strongly believe that we don't
> > > have as much work to do as most WG members might believe, at least
> > > for some areas (not all).  I request the opportunity to demonstrate
> > > this.
> > >
> > > MB
> > > --
> > > Mark Baker, Chief Science Officer, Planetfred, Inc.
> > > Ottawa, Ontario, CANADA.      mbaker@planetfred.com
> > > http://www.markbaker.ca   http://www.planetfred.com
> > >
> >
> >
>

Received on Wednesday, 8 May 2002 18:32:32 UTC