W3C home > Mailing lists > Public > www-ws-arch@w3.org > August 2005

Security and Privacy - SSL?

From: Daniel Ruoso <daniel@ruoso.com>
Date: Tue, 23 Aug 2005 19:22:29 -0300
To: www-ws-arch@w3.org
Cc: daniel@ruoso.com
Message-Id: <1124835749.8832.38.camel@cajazeiras.matriz.oktiva.com.br>

Hi,

After reading the current version of the document, I noticed (and it's
actually stated ther) that these two questions are not defined. As I'm
thinking a lot about all of these things, I'd like to share my view on
the matter.

SSL keys, specially X509 keys, are widely used today, indeed, the
brazillian government is adopting this standard as the legal digital
signature. As you know, it's possible not just to encrypt (privacy)
messages, but also to certify authenticity (security).

I've been thinking that is possible to build a web-of-trust between the
agents in this architecture, allowing, for instance, the agent to sign a
temporary key, or even use the key itself to transfer the messages. The
big deal is it won't demand a change in WSDL or SOAP, but the transport
will have a way to certify the autenticity of the message before parsing
the XML.

Also, when signing a key, you can specify the trust level, in a way you
can apply a policy that some resources/services are available only for
keys with N "trust points". In this way, an agent running in a secured
environment (a data center) would have more "trust points" than a agent
running in a desktop computer.

What do you think?

daniel

P.S.: Please include-me as CCs in all replies, as I'm not subscribed to
this list.
Received on Wednesday, 24 August 2005 02:51:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:25:28 GMT