RE: D-AG006 Security from Ahmed, Zahid on 2002-05-09 (www-ws-arch@w3.org from May 2002)

From: Ahmed, Zahid <zahid.ahmed@commerceone.com>
Date: Thu, 9 May 2002 12:59:52 -0700
To: www-ws-arch@w3.org
Message-ID: <C1E0143CD365A445A4417083BF6F42CC02F890BF@C1plenaexm07.commerceone.com>
While I strongly agree that web services security model should
not limit inclusion of all relevant security layers - atleast as
part of the WG charter, for example, SAML Assertions, I think
some of the underlying work, e.g., Web Services/SOAP Binding
of SAML components, does not explicitly need to be done by
this WS-Arch's Security WG. 

As mentioned before the SAML extension to Web Services can be 
done outside the WS-Arch's Security working group, particularly 
if we lay down the rules of how such extensions could be included 
with SOAP based web services using the security model the 
WS-Arch security WG defines.

Hence, the W3C-Arch's Security WG should define the web services 
security model to be extensibile in terms of adding additional 
security features such that secuirity interoperability at all 
layers of web services stack can be achieved. But this does not 
mean that the Security WG must tasks itself to do ALL the
security layers work. That's NOT feasible.

I would propose then that the Security WG focus on the
following:


1) Web Services Security Model
   Develop a web services security model which is consistent with
   the scope of Web Services Usage Scenario and Requirements document;
   the scope should include atleast the following areas:
       - how web services message exchanges will support integrity
         of message- and document-level contents;
       - how web services message exchanges will support confidentiality
         of message- and document-level contents;
	 - how web services message exchanging parties can be authenticated
         using interoperatible credential;
	 - how web services participate can be trusted using a standardized
         web services trust model;
	 - how additional security features can be added into the above
         model in a consistent and interoperatible way;

2) Standardized SOAP Security Extension
   How the web services security services model translates to 
   SOAP Message Exchange model, particularly as it relates to defintions
   of SOAP Security Header Extension(s)
3) Leveraging/Coordination with Existing Security Standards
   Decide what prevailing solutions/efforts/standards can be re-used
   as part of the web services security model to satisfy interoperability
   and extensibility requirements, for example: 
   (a) OASIS SAML v.1.0 
   (b) W3C XML Signature
   (c) W3C XML Encryption
   (d) XKMS Specification
   (e) Microsoft/IBM/Verisign's WS-Security Specification (see David O's
       previous e-mail thread on this w.r.t. IPR issues and whether
       msft/ibm/verisign want to suggest ws-security be used...)

 
Comments?

Zahid Ahmed
Security Architect
Commerce One, Inc.


   
-----Original Message-----
From: Sandeep Kumar [mailto:sandkuma@cisco.com]
Sent: Wednesday, May 08, 2002 9:03 PM
To: David Orchard; 'Anne Thomas Manes'; 'Mark Baker'; 'Darran Rolls'
Cc: 'Dilber, Ayse, ALASO'; 'Joseph Hui'; 'Edgar, Gerald'; 'Abbie
Barbir'; 'Allen Brown'; www-ws-arch@w3.org
Subject: RE: D-AG006 Security


Dave,

Let me first mention that I am *NOT* advocating against a phased approach.

Clearly, I *MIS-COMMUNICATED* :( and I apologise.

I believe in a phased approach myself and would help in any which way
I can to accomplish the end goal, which IMO in this case, is:

	- an end-to-end comprehensive application level web-services
security model
and technologies that would enable that model.

What I would be cautious about (and that is what I mis-read apparently)
is to *leave out* certain aspects of the end-to-end security model
from consideration of the WS security charter. This is what I wanted to
communicate.

For instance, WS-Security has left SAML out, and I don't like that. I don't
want us
to get stuck in that similar roadmap.

I would be happy to leave certain aspects of the WS security model after
having some serious brainstorming around the usage scenarios (something that
you had proposed earlier, prior to writing the charter). I think your
proposed
approach must be seriously considered by this WG before starting to write
the charter.

I hope I am clear about my position, which I think is very supportive of
your
thinking and proposal.

Regards,
Sandeep Kumar
Cisco Systems

-----Original Message-----
From: David Orchard [mailto:dorchard@bea.com]
Sent: Wednesday, May 08, 2002 8:22 PM
To: 'Sandeep Kumar'; 'Anne Thomas Manes'; 'Mark Baker'; 'Darran Rolls'
Cc: 'Dilber, Ayse, ALASO'; 'Joseph Hui'; 'Edgar, Gerald'; 'Abbie
Barbir'; 'Allen Brown'; www-ws-arch@w3.org
Subject: RE: D-AG006 Security


Sandeep,

You don't think we can have a roadmap and tackle smaller pieces in phases?
That we (or more actually the security WG) have to consider all in the first
revision?  This is somewhat surprising to me. as I've always admired your
companies' delivery of phased products.  Could you explain this to me, as
I'm just really surprised to hear an advocate against a phased approach.

I'd be interested in a straw poll of how many people don't want a
multi-phase approach for security or any other areas.  Our group clearly
still has to discuss approach to requirements and charters, and how
comfortable we are with moving quickly.

I'd also be interested in finding out where consensus is on security
functionality for v1 - perhaps authentication/integrity/confidentiality? -
and what the group thinks of additional functionality.

Cheers,
Dave

> -----Original Message-----
> From: www-ws-arch-request@w3.org [mailto:www-ws-arch-request@w3.org]On
> Behalf Of Sandeep Kumar
> Sent: Wednesday, May 08, 2002 5:34 PM
> To: Anne Thomas Manes; Mark Baker; Darran Rolls
> Cc: David Orchard; Dilber, Ayse, ALASO; Joseph Hui; Edgar,
> Gerald; Abbie
> Barbir; Allen Brown; www-ws-arch@w3.org
> Subject: RE: D-AG006 Security
>
>
> Anne: I fully agree with you the way you have outlined the domain
> for this (to be?) proposed new WG.
>
> I would lke to further add that ALL of these technologies MUST
> be comprehensively considered by that WG as part of 1-PHASE and NOT in
> phases
> (as I saw some such mention in a thread).
>
> Sandeep
>
>
> -----Original Message-----
> From: www-ws-arch-request@w3.org [mailto:www-ws-arch-request@w3.org]On
> Behalf Of Anne Thomas Manes
> Sent: Wednesday, May 08, 2002 2:29 PM
> To: Mark Baker; Darran Rolls
> Cc: Anne Thomas Manes; David Orchard; Dilber, Ayse, ALASO; Joseph Hui;
> Edgar, Gerald; Abbie Barbir; Allen Brown; www-ws-arch@w3.org
> Subject: RE: D-AG006 Security
>
>
> Mark,
>
> The problem does not already have a solution. There are a number of
> standards that will be cited by this working group (XML Signature, XML
> Encryption, XKMS, SAML, XACML, etc.), but there's no standard
> that ties
> these standards to Web services and SOAP. We need a standard
> that defines
> how to sign all or part of a SOAP message, how to represent the XML
> signature in a SOAP message, how to obtain the keys necessary
> to decrypt the
> message, how to pass credentials in a SOAP message, and how
> to represent
> credential delegation in a SOAP message, etc., etc.. The best
> specification
> at our disposal is IBM/Microsoft/Verisign's WS-Security, but
> it isn't a
> standard. And it doesn't talk about how to pass SAML
> assertions or XACML
> policies in a SOAP message. It doesn't tie in XKMS. That's
> why we need a
> working group.
>
> Anne
>
> > -----Original Message-----
> > From: www-ws-arch-request@w3.org
> [mailto:www-ws-arch-request@w3.org]On
> > Behalf Of Mark Baker
> > Sent: Wednesday, May 08, 2002 4:26 PM
> > To: Darran Rolls
> > Cc: Mark Baker; Anne Thomas Manes; David Orchard; Dilber,
> Ayse, ALASO;
> > Joseph Hui; Edgar, Gerald; Abbie Barbir; Allen Brown;
> www-ws-arch@w3.org
> > Subject: Re: D-AG006 Security
> >
> >
> > On Wed, May 08, 2002 at 02:12:27PM -0500, Darran Rolls wrote:
> > > Sounds like a potential part of the charter wording
> "ensuring reuse of
> > > existing web service security standards..."
> >
> > That would be good too, in case we miss any.  But do we really want
> > to charter a WG only to find out that the problem already has a
> > solution?
> >
> > As I said on our very first call, I strongly believe that we don't
> > have as much work to do as most WG members might believe, at least
> > for some areas (not all).  I request the opportunity to demonstrate
> > this.
> >
> > MB
> > --
> > Mark Baker, Chief Science Officer, Planetfred, Inc.
> > Ottawa, Ontario, CANADA.      mbaker@planetfred.com
> > http://www.markbaker.ca   http://www.planetfred.com
> >
>
>
>
Received on Thursday, 9 May 2002 16:00:03 UTC