RE: public-wsawg-security-tf - where to start from Abbie Barbir on 2003-03-24 (public-wsawg-security-tf@w3.org from March 2003)

From: Abbie Barbir <abbieb@nortelnetworks.com>
Date: Mon, 24 Mar 2003 16:07:04 -0500
To: Francis McCabe <fgm@fla.fujitsu.com>
Cc: "Edgar, Gerald" <gerald.edgar@boeing.com>, public-wsawg-security-tf@w3.org
Message-ID: <87609AFB433BD5118D5E0002A52CD754053D61CB@zcard0k6.ca.nortel.com>
Hello again,

Moving forward on the security issues and working with francis
recommendation, we need to jumop start the work ASAP.

At this stage, I will suggest the following:

1. We need a section that discuss the need for security. This can address
all the issues from the architecture prospective. In the section we will
state the following:

a. security is a feature that could be intgerated in the architecture.
b. Point the fact that it is deployment related and that it should be part
of an overall security frame work for the adopters.
c. Point to work that is being done to achoive that (OASIS, etc.)
d. State that some recommendation will be spec and others will not, and the
adopter should keep track of that.

This shouls be done in about two pages.

I will start the process early next week and pass the draft to you for your
feedback.

Please let me know if u have any problems with that. Of course any help will
be appreciated.



Thanks

Abbie



> -----Original Message-----
> From: Francis McCabe [mailto:fgm@fla.fujitsu.com] 
> Sent: Wednesday, March 19, 2003 12:37 PM
> To: Barbir, Abbie [CAR:1A00:EXCH]
> Cc: Edgar, Gerald; public-wsawg-security-tf@w3.org
> Subject: Re: public-wsawg-security-tf - where to start
> 
> 
> Hi Abbie:
>    I think that you are still over estimating the effort involved.
> 
>    If you think of the WSA as a framework architecture rather than a 
> specific implementation arch, then all that is really required is to 
> establish the key `entry points' that are necessary; and potentially 
> point to the more specific specs.
> 
>    E.g., I doubt v. much that we need to investigate the presence or 
> lack of support for security in WSDL.
> 
> Really, the question that needs to be answered is:
> 
> How does the WSA account for security
> 
> The answer is going to be a combination of two things:
> 
> the key concepts needed for security and a pointer to a more detailed 
> spec.
> 
> This is both easier and harder than dumping a list of 
> specifics; easier 
> because there should be less typing, harder because getting the right 
> key is difficult.
> 
> Frank
> 
> On Tuesday, March 18, 2003, at 04:29  PM, Abbie Barbir wrote:
> 
> > Gerald, and all,
> >
> > HI,
> >
> > I have been on the road with no e-mail access.
> > OK,
> > for the thursday meeting and the rest of the road map, here 
> is what i
> > think we should do to the archtec draft.
> > 1. we should add a security section. the section will 
> consist of the 
> > following
> > a- basic security objectives, basically on my slides are the 
> > Authentication authorization, etc..
> > b- next we list the avilable techniques that are being standarized 
> > today. we may even mention the techniques that are on the 
> wish list in 
> > OASIS and other SDO.
> >
> > The general approach will be the following:
> > 1. privacu issues (human behaior as opposed to data) is out of scope
> > of our work.
> > 2. need to mention that security is basically afeature, it be taken 
> > into consideration the design of web serv ices. the 
> approach should ne 
> > compatible with the enterprize (or company security policy). wsa 
> > security adds an extra dimension, and is part of the 
> overall secuiryt.
> >
> > 3, we need to see if the wsa architecture has any mnajor 
> misaalignment
> > with the arcitecture that SAML, XKMS, etc that are based on, if yes 
> > (which I doubt) need to alighn the delta and decide if the approach 
> > work or not.
> >
> > 4. Need to see if SOAP security thorug WS-Security is applicable or
> > not (ANy major issues with what URI defines or not).
> >
> > 5. Need to see if we need any requirements on WSDL, such as
> > specifiying security as a feature or not.
> > 6. Need to adress ws-policy, ws-privacy, ws-routing, etc.
> > 7. how does security relates to chroeography. what do we need to 
> > mention there.
> >
> >
> > This is a good starting point for discussion, so please respond.
> >
> > I will be on the plane friday.
> > Gerald, if this e-mail does not make it to the list can u please fwd
> > it.
> >
> >
> > abbie
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Edgar, Gerald [mailto:gerald.edgar@boeing.com]
> > > Sent: Tuesday, March 18, 2003 11:14 AM
> > > To: Barbir, Abbie [CAR:1A00:EXCH]
> > > Subject: RE: public-wsawg-security-tf - where to start
> > >
> > >
> > > There has not been much activity yet. are we going to have 
> > > teleconference meetings that we can get going? your 
> presentation on 
> > > web services security is a start, my diagrams are another 
> cut. What 
> > > will our next steps be?
> > >
> > > Gerald
> > >
> >
> 
>
Received on Monday, 24 March 2003 16:07:59 UTC