W3C home > Mailing lists > Public > public-ws-chor@w3.org > November 2003

RE: Security requirements

From: Ahmed, Zahid <zahmed@ebay.com>
Date: Wed, 19 Nov 2003 14:07:44 -0800
Message-ID: <9CEDD4668EA651449918CA4C15A13B12026EC0E5@sjc-exm-25.corp.ebay.com>
To: <public-ws-chor@w3.org>

I think independent of WSDL version (i.e, start w/WSDL 1.1 and SOAP 1.1;
and support WSDL 2.0 later when it is available), it should be possible to describe 
policy sets for a choreography using WS-Policy, WS-PolicyFramework, 
WS-PolicyAttachment, and WS-PolicyAssertion.

However, the problem is that these family of specs are not yet vetted/approved by any
standards body. There's been some discussion from W3C on this topic, see:

If we can assume that WS-Policy* specs will evolve into an accepted standard then
perhaps such work can take place sooner rather than later . Arriving at the right
set of constraints and requirements for a set of choreography use cases seems
important. I am not sure if WSDL 2.0 will contain security assertion features although 
that could be an interesting future work to be pursued by OASIS WSS TC.

Finally, I don't see any explicit requirement/constraint on privacy; confidentiality is
covered though.

Zahid Ahmed
Platform Architect
eBay, Inc.

	-----Original Message-----
	From: Ugo Corda [mailto:UCorda@SeeBeyond.com]
	Sent: Wednesday, November 19, 2003 1:37 PM
	To: Fletcher, Tony; public-ws-chor@w3.org
	Subject: RE: Security requirements
	Hi Tony, 
	Assuming that our final CDL will be based on WSDL (which might be an incorrect assumption, given the fact that we currently have no stable spec), it's very likely that WSDL 2.0 will contain policy assertions including security-related ones. 
	Would it still make sense, under that scenario, to replicate those security policies at the CDL level? 
		-----Original Message-----
		From: public-ws-chor-request@w3.org [mailto:public-ws-chor-request@w3.org]On Behalf Of Fletcher, Tony
		Sent: Wednesday, November 19, 2003 1:14 PM
		To: public-ws-chor@w3.org
		Subject: Security requirements
		Dear Colleagues, 
		On the teleconference last night I kind of agreed to kick the ball into play on drafting some security requirements. So here goes. 
		It seems to me that the CDL can be declarative with regard to security. In other words it should support notation for flagging that certain security requirements have to be met at this point but can then rely on the 'stack' below the Choreography language layer to 'make it so'. 
		It should be possible to flag that a certain policy applies from this point in the choreography until the choreography ends or another flag is encountered. 
		Should be able to refer out to standard policy sets or state specific requirements explicitly. These should include ability to require: 
		authentication of the partner and or the message content source 
		that a secure audit log is made 
		that a message is protected from change (integrity) 
		that the contents of a message are hidden (confidentiality) 
		that the sending of a message is non-repudiable 
		that the receipt of a message is non-repudiable 
		that the message or message exchange is protected against replay 
		that the time of sending of a message is recorded 
		that the time of receiving of a message is recorded 
		that a time (/date) stamp is attached to a message when sent. 
		I am sure I have missed various things, but I hope that will encourage others to add / correct / rephrase. 
		Best Regards,
Received on Wednesday, 19 November 2003 17:07:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:30:14 UTC