W3C home > Mailing lists > Public > www-xenc-xmlp-tf@w3.org > May 2002

Re: Following up on XML Security

From: Joseph Reagle <reagle@w3.org>
Date: Fri, 31 May 2002 19:42:15 -0400
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>, "'stephen.farrell@baltimore.ie'" <stephen.farrell@baltimore.ie>
Cc: w3c-security-ig@w3.org, www-xenc-xmlp-tf@w3.org, hugo@w3.org, asirv@webmethods.com, "Hallam-Baker, Phillip" <pbaker@verisign.com>, Shivaram.Mysore@Sun.COM, fallside@us.ibm.com, dturner@microsoft.com
Message-Id: <20020531234215.E025285A0C@aeon.w3.org>

On Friday 31 May 2002 11:54 am, Hallam-Baker, Phillip wrote:
> I think that there are issues that have to be fixed in both groups, but
> that the bulk of the work should be done in XKMS. Otherwise I agree with
> Stephen, except to say that if the work is going to take place in W3C it
> is going to have to start very, very soon.

I could start work on new charters for dsig, xenc next week (and work with 
the chairs on XKMS depending on their time).

1. There's the question of how basic SOAP headers and processing with 
xlmdsig and xenc. It's already in the scope of XENC charter to make sure 
these things can work together but not to specify them. I think its 
reasonable to extend the charter to do so (as mostly done in [1] sans the 
token/kerberos stuff).
2. There's the question of tokens and kerberos support. I don't understand 
this quite yet (e.g., in 1.2 why is the UsernameToken above the Signature, 
but a reference to it is in the KeyInfo. Why not locate it in the KeyInfo?) 
I'm not sure where this should be addressed.
3. You mentioned a Kerberos KeyInfo. That sounds reasonable but one of the 
things I don't understand, per above, is how this is different than the 
token? Could it be tiny in a short spec? Also, do we imagine every  
algorithm and key structure needs to be standardized by the W3C?
4. You state, "The Security and SecureConversation issues have already been 
addressed in XKMS insofar as they relate to problems that any secure web 
service must address." Which parts of the XKMS spec, specifically, do you 
mean? Can they be seperated into a different namespace/spec for easy re-use 
or handing off to a WS-Security WG?

[1] 
http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-security.asp?frame=true

> XKMS is very largely complete, but the issue of layering on a common web
> services security framework or not inevitably introduces delay.

I consider it pretty close to functionally complete (unless the WG accepts 
new requirements), but there's still a lot of work to do.

> Already
> there is an expectation that at some point in the future there will be an
> XKMS layered on whatever becomes of the GXA in whatever forum. So it is
> likely to be difficult to convince people that a non gxa layered XKMS
> represents a stable industry standard consensus.
>
> Given that the GXA/Whatever work in those areas is going to delay XKMS
> until it is complete the WG might as well begin addressing the issue.

I'm not aware of this depenendency. In what way must XKMS wait for it? The 
idea is to put out modular specs that can be of service quickly without too 
many depenencies.

> There are other security issues that have to be considered of course. The
> ws-policy and ws-privacy components of the GXA for example, however these
> are going to have a dependence on WSDL while implementers of application
> specs such as XKMS and SAML can implement without those layers being
> completed and so they could be safely left to the July security group.
> This is also an area that will progress beyond pure security work and so
> chartering a new group night make sense for that reason.

I agree with this.
Received on Friday, 31 May 2002 19:43:36 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.30 : Friday, 25 March 2005 11:21:54 GMT