Re: Proposing a wsa:Security element from Marc Hadley on 2005-03-14 (public-ws-addressing@w3.org from March 2005)

From: Marc Hadley <Marc.Hadley@Sun.COM>
Date: Mon, 14 Mar 2005 14:59:10 -0500
To: Ashok Malhotra <ashok.malhotra@oracle.com>
Cc: Hugo Haas <hugo@w3.org>, public-ws-addressing@w3.org, Rich Salz <rsalz@datapower.com>
Message-id: <b3fad970300eace179c5df57f7f1c755@Sun.COM>

On Mar 14, 2005, at 11:17 AM, Ashok Malhotra wrote:
>
> In my view, all the security information shd be collected together and
> shd go in the policy sub-bucket of the metadata bucket.  But there are
> many subtleties here depending on which direction the message is 
> flowing etc.
>
> I suggest that the WS-Addressing WG not attempt to solve this problem.
> The existence of a metadata bucket(in place or by reference) is fine.
> The details shd be left to another WG.
>
Did you have another group in mind ? IMO we are defining addressing and 
we should also be defining how to secure the addressing information. 
I'm strongly opposed to this group failing to adequately address the 
security implications of our specification so users have to wait for 
another WG (in say WS-I) to provide the necessary information to get 
secure interoperability.

Marc.

>
>> -----Original Message-----
>> From: public-ws-addressing-request@w3.org
>> [mailto:public-ws-addresspendiing-request@w3.org] On Behalf Of Rich 
>> Salz
>> Sent: Monday, March 14, 2005 7:31 AM
>> To: Hugo Haas
>> Cc: public-ws-addressing@w3.org
>> Subject: Re: Proposing a wsa:Security element
>>
>>
>>> Couldn't such information go in the [metadata] bucket? It
>> seems that
>>> we added it for things just like that.
>>
>> Perhaps.  If you see my longer note about "trust model,"
>> you'll see that we need a way to aggregate a bunch of
>> security information, and make sure it ends up in a
>> WS-Security element.  This may be different from other
>> security information that just needs to be used between the
>> client and the epr minter (which,  I know, if out of scope;
>> out security model should support some kind of interaction
>> there, however).
>>
>> Yes, a wsa:Security can go into the metadata bucket.  But
>> saying that all or any ds:Signature,
>> wsse:SecurityTokenReference, etc., elements get the kind of
>> binding I propsed for wsa:Security, is a mistake.
>>
>> 	/r$
>>
>> --
>> Rich Salz, Chief Security Architect
>> DataPower Technology
>> http://www.datapower.com
>> XS40 XML Security Gateway
>> http://www.datapower.com/products/xs40.html
>>
>>
>>
>
>
>
---
Marc Hadley <marc.hadley at sun.com>
Web Technologies and Standards, Sun Microsystems.

Received on Monday, 14 March 2005 19:59:10 UTC