- From: Joseph Reagle <reagle@w3.org>
- Date: Fri, 31 May 2002 19:42:15 -0400
- To: "Hallam-Baker, Phillip" <pbaker@verisign.com>, "'stephen.farrell@baltimore.ie'" <stephen.farrell@baltimore.ie>
- Cc: w3c-security-ig@w3.org, www-xenc-xmlp-tf@w3.org, hugo@w3.org, asirv@webmethods.com, "Hallam-Baker, Phillip" <pbaker@verisign.com>, Shivaram.Mysore@Sun.COM, fallside@us.ibm.com, dturner@microsoft.com
On Friday 31 May 2002 11:54 am, Hallam-Baker, Phillip wrote: > I think that there are issues that have to be fixed in both groups, but > that the bulk of the work should be done in XKMS. Otherwise I agree with > Stephen, except to say that if the work is going to take place in W3C it > is going to have to start very, very soon. I could start work on new charters for dsig, xenc next week (and work with the chairs on XKMS depending on their time). 1. There's the question of how basic SOAP headers and processing with xlmdsig and xenc. It's already in the scope of XENC charter to make sure these things can work together but not to specify them. I think its reasonable to extend the charter to do so (as mostly done in [1] sans the token/kerberos stuff). 2. There's the question of tokens and kerberos support. I don't understand this quite yet (e.g., in 1.2 why is the UsernameToken above the Signature, but a reference to it is in the KeyInfo. Why not locate it in the KeyInfo?) I'm not sure where this should be addressed. 3. You mentioned a Kerberos KeyInfo. That sounds reasonable but one of the things I don't understand, per above, is how this is different than the token? Could it be tiny in a short spec? Also, do we imagine every algorithm and key structure needs to be standardized by the W3C? 4. You state, "The Security and SecureConversation issues have already been addressed in XKMS insofar as they relate to problems that any secure web service must address." Which parts of the XKMS spec, specifically, do you mean? Can they be seperated into a different namespace/spec for easy re-use or handing off to a WS-Security WG? [1] http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-security.asp?frame=true > XKMS is very largely complete, but the issue of layering on a common web > services security framework or not inevitably introduces delay. I consider it pretty close to functionally complete (unless the WG accepts new requirements), but there's still a lot of work to do. > Already > there is an expectation that at some point in the future there will be an > XKMS layered on whatever becomes of the GXA in whatever forum. So it is > likely to be difficult to convince people that a non gxa layered XKMS > represents a stable industry standard consensus. > > Given that the GXA/Whatever work in those areas is going to delay XKMS > until it is complete the WG might as well begin addressing the issue. I'm not aware of this depenendency. In what way must XKMS wait for it? The idea is to put out modular specs that can be of service quickly without too many depenencies. > There are other security issues that have to be considered of course. The > ws-policy and ws-privacy components of the GXA for example, however these > are going to have a dependence on WSDL while implementers of application > specs such as XKMS and SAML can implement without those layers being > completed and so they could be safely left to the July security group. > This is also an area that will progress beyond pure security work and so > chartering a new group night make sense for that reason. I agree with this.
Received on Friday, 31 May 2002 19:43:36 UTC