Re: public-wsawg-security-tf - where to start from Francis McCabe on 2003-03-19 (public-wsawg-security-tf@w3.org from March 2003)

From: Francis McCabe <fgm@fla.fujitsu.com>
Date: Wed, 19 Mar 2003 09:37:18 -0800
To: "Abbie Barbir" <abbieb@nortelnetworks.com>
Cc: "Edgar, Gerald" <gerald.edgar@boeing.com>, public-wsawg-security-tf@w3.org
Message-Id: <6EC0E906-5A31-11D7-A1E7-000393A3327C@fla.fujitsu.com>

Hi Abbie:
   I think that you are still over estimating the effort involved.

   If you think of the WSA as a framework architecture rather than a 
specific implementation arch, then all that is really required is to 
establish the key `entry points' that are necessary; and potentially 
point to the more specific specs.

   E.g., I doubt v. much that we need to investigate the presence or 
lack of support for security in WSDL.

Really, the question that needs to be answered is:

How does the WSA account for security

The answer is going to be a combination of two things:

the key concepts needed for security and a pointer to a more detailed 
spec.

This is both easier and harder than dumping a list of specifics; easier 
because there should be less typing, harder because getting the right 
key is difficult.

Frank

On Tuesday, March 18, 2003, at 04:29  PM, Abbie Barbir wrote:

> Gerald, and all,
>
> HI,
>
> I have been on the road with no e-mail access.
> OK,
> for the thursday meeting and the rest of the road map, here is what i 
> think we should do to the archtec draft.
> 1. we should add a security section. the section will consist of the 
> following
> a- basic security objectives, basically on my slides are the 
> Authentication authorization, etc..
> b- next we list the avilable techniques that are being standarized 
> today. we may even mention the techniques that are on the wish list in 
> OASIS and other SDO.
>
> The general approach will be the following:
> 1. privacu issues (human behaior as opposed to data) is out of scope 
> of our work.
> 2. need to mention that security is basically afeature, it be taken 
> into consideration the design of web serv ices. the approach should ne 
> compatible with the enterprize (or company security policy). wsa 
> security adds an extra dimension, and is part of the overall secuiryt.
>
> 3, we need to see if the wsa architecture has any mnajor misaalignment 
> with the arcitecture that SAML, XKMS, etc that are based on, if yes 
> (which I doubt) need to alighn the delta and decide if the approach 
> work or not.
>
> 4. Need to see if SOAP security thorug WS-Security is applicable or 
> not (ANy major issues with what URI defines or not).
>
> 5. Need to see if we need any requirements on WSDL, such as 
> specifiying security as a feature or not.
> 6. Need to adress ws-policy, ws-privacy, ws-routing, etc.
> 7. how does security relates to chroeography. what do we need to 
> mention there.
>
>
> This is a good starting point for discussion, so please respond.
>
> I will be on the plane friday.
> Gerald, if this e-mail does not make it to the list can u please fwd 
> it.
>
>
> abbie
>
>
>
>
> > -----Original Message-----
> > From: Edgar, Gerald [mailto:gerald.edgar@boeing.com]
> > Sent: Tuesday, March 18, 2003 11:14 AM
> > To: Barbir, Abbie [CAR:1A00:EXCH]
> > Subject: RE: public-wsawg-security-tf - where to start
> >
> >
> > There has not been much activity yet. are we going to have
> > teleconference meetings that we can get going? your
> > presentation on web services security is a start, my diagrams
> > are another cut. What will our next steps be?
> >
> > Gerald
> >
>

Received on Wednesday, 19 March 2003 12:37:47 UTC