RE: Security Question from Ugo Corda on 2002-08-06 (www-ws-arch@w3.org from August 2002)

From: Ugo Corda <UCorda@SeeBeyond.com>
Date: Tue, 6 Aug 2002 13:11:10 -0700
To: "'Champion, Mike'" <Mike.Champion@SoftwareAG-USA.com>, www-ws-arch@w3.org
Message-ID: <C513FB68F8200244B570543EF3FC653708AE35ED@MAIL1.stc.com>

In a few days a WS-I representative will meet with W3C representatives to
discuss the relationship between the two organizations. I hope some well
defined process will be put in place soon to facilitate the exchange of
information between the two groups.

We should also keep in mind that, so far, WS-I is only addressing version
1.1 of SOAP and WSDL (versions which don't even have standard status). It
will be more interesting to see how WS-I will approach SOAP 1.2 and WSDL
1.2. 

In any case, any WS-I deliberation concerning the 1.1 versions will probably
have direct effect on current/near future use of Web Services, and will
shape people's expectations regarding the next versions of Web Services
components. As you say, it's something we definitely have to be aware of
and, possibly, publicly comment on.

Ugo

-----Original Message-----
From: Champion, Mike [mailto:Mike.Champion@SoftwareAG-USA.com]
Sent: Tuesday, August 06, 2002 12:00 PM
To: www-ws-arch@w3.org
Subject: RE: Security Question





> -----Original Message-----
> From: Ugo Corda [mailto:UCorda@SeeBeyond.com]
> Sent: Tuesday, August 06, 2002 1:47 PM
> To: 'Mark Baker'; Cutler, Roger (RogerCutler)
> Cc: www-ws-arch@w3.org
> Subject: RE: Security Question
> 
> 
> By the way, the latest decision of the WS-I Basic Profile in 
> this area is to
> require PSVI evaluation on the receiving side. (But it is still rather
> controversial within the working group).

Hmm, since the type information defined in a schema is part of the PSVI and
not the InfoSet, I guess my suggestion to not rely on the PSVI in a web
service was not well thought through ... still, I think the security
implications of default and fixed attribute values is something that we may
want to address.

Also, this reminds me that we need to think about this WG's relationship
with the WS-I.  I suspect that most of our companies are WS-I members, so
we'll have access to information about their deliberations, but we need to
be careful about whatever confidentiality guidelines WS-I may impose.  I
[personally, not wearing chair hat] think that we need to "harvest" WS-I
conclusions/recommendations and either a) endorse them; b) note caveats that
may make them less relevant in the future; or c) counter them if we really
think they are not in the best interest of the overall web/web services
architecture in the long run.

Received on Tuesday, 6 August 2002 16:11:45 UTC