Re: Proposing a wsa:Security element

On Mar 14, 2005, at 3:33 PM, Ashok Malhotra wrote:

>> Did you have another group in mind ?
> There has been talk about starting a Policy WG.
>
You think a group focussed on policy should be tasked with specifying 
the details of how to secure message addressing properties in messages 
? How to describe that maybe...

>> IMO we are defining
>> addressing and we should also be defining how to secure the
>> addressing information.
>
> I think securing the addressing information has a lot in common
> woth securing other kinds of information and is orthogonal to
> the real concerns of the WS-Addressing WG.
>
Agree it has lots in common, but think addressing should be specific on 
how to secure the constructs it defines given that some of them are 
particularly open to abuse (here I'm thinking of ReplyTo).

Marc.

>
>> -----Original Message-----
>> From: Marc.Hadley@Sun.COM [mailto:Marc.Hadley@Sun.COM] On
>> Behalf Of Marc Hadley
>> Sent: Monday, March 14, 2005 11:59 AM
>> To: Ashok Malhotra
>> Cc: Hugo Haas; public-ws-addressing@w3.org; Rich Salz
>> Subject: Re: Proposing a wsa:Security element
>>
>> On Mar 14, 2005, at 11:17 AM, Ashok Malhotra wrote:
>>>
>>> In my view, all the security information shd be collected
>> together and
>>> shd go in the policy sub-bucket of the metadata bucket.
>> But there are
>>> many subtleties here depending on which direction the message is
>>> flowing etc.
>>>
>>> I suggest that the WS-Addressing WG not attempt to solve
>> this problem.
>>> The existence of a metadata bucket(in place or by
>> reference) is fine.
>>> The details shd be left to another WG.
>>>
>> Did you have another group in mind ? IMO we are defining
>> addressing and we should also be defining how to secure the
>> addressing information.
>> I'm strongly opposed to this group failing to adequately
>> address the security implications of our specification so
>> users have to wait for another WG (in say WS-I) to provide
>> the necessary information to get secure interoperability.
>>
>> Marc.
>>
>>>
>>>> -----Original Message-----
>>>> From: public-ws-addressing-request@w3.org
>>>> [mailto:public-ws-addresspendiing-request@w3.org] On
>> Behalf Of Rich
>>>> Salz
>>>> Sent: Monday, March 14, 2005 7:31 AM
>>>> To: Hugo Haas
>>>> Cc: public-ws-addressing@w3.org
>>>> Subject: Re: Proposing a wsa:Security element
>>>>
>>>>
>>>>> Couldn't such information go in the [metadata] bucket? It
>>>> seems that
>>>>> we added it for things just like that.
>>>>
>>>> Perhaps.  If you see my longer note about "trust model,"
>>>> you'll see that we need a way to aggregate a bunch of security
>>>> information, and make sure it ends up in a WS-Security
>> element.  This
>>>> may be different from other security information that just
>> needs to
>>>> be used between the client and the epr minter (which,  I
>> know, if out
>>>> of scope; out security model should support some kind of
>> interaction
>>>> there, however).
>>>>
>>>> Yes, a wsa:Security can go into the metadata bucket.  But
>> saying that
>>>> all or any ds:Signature, wsse:SecurityTokenReference,
>> etc., elements
>>>> get the kind of binding I propsed for wsa:Security, is a mistake.
>>>>
>>>> 	/r$
>>>>
>>>> --
>>>> Rich Salz, Chief Security Architect
>>>> DataPower Technology
>>>> http://www.datapower.com
>>>> XS40 XML Security Gateway
>>>> http://www.datapower.com/products/xs40.html
>>>>
>>>>
>>>>
>>>
>>>
>>>
>> ---
>> Marc Hadley <marc.hadley at sun.com>
>> Web Technologies and Standards, Sun Microsystems.
>>
>>
>>
>
>
---
Marc Hadley <marc.hadley at sun.com>
Web Technologies and Standards, Sun Microsystems.

Received on Monday, 14 March 2005 21:30:33 UTC