Input/Consensus Sought: should Sec Phase 1 include Authz? from Joseph Hui on 2002-07-11 (www-ws-arch@w3.org from July 2002)

From: Joseph Hui <Joseph.Hui@exodus.net>
Date: Wed, 10 Jul 2002 17:16:36 -0700
To: <www-ws-arch@w3.org>
Message-ID: <45258A4365C6B24A9832BFE224837D551D1C97@SJDCEX01.int.exodus.net>

 >  From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
 [snip]
>  For current purposes I will settle for consensus around the 
>  idea that "Authentication without Authorization is insufficient".  
> This is what major end users and industry gurus have been 
> saying for the last five years or so. 
 
Indeed; just look at the amount of resources poured into
Password and Liberty Alliance.  The saying that "just because
you've proven who you said you were doesn't mean you have
a free run of my system" always rings true in computing.
The coupling of the two in the problem domain was around
for many years and has remained relatively constant.
It's the solution domain that's evolving -- getting more
sophisticated, let's hope.
 
The main argument for keeping Authz out of Phase 1 is the
time-to-market (ttm) factor.  So the balance we are striving
for is to deliver some standards that most vendors will find
worthy adopting.  On one hand, delivering layer 1 only in 
Phase 1 would expedite delivery.  On the other, vendors
may find the promptly delivered package too light to pay
attention to, thus little adoption.  (Note that adoption rate is
what matters the most in standards.)  So the art of the deal
seems to be to make the Phase-1 package light, put not 
too light.  
 
Thus to the WG, the question is: should Authz be in Phase 1?
 
Comments?
 
Cheers,
 
Joe Hui
Exodus, a Cable & Wireless service  
 
Ps.  
I believe we have established in past meetings/calls the
rough consensus that Phase 1 will include Layer 1 and
Layer1 comprises: conf, Int, & Authc.
So in the interest of productivity I suggest we focus on Authz
at this juncture and not revisit old, settled issues unnecessarily.  Thx.

 ================================================== 

Hal 

> -----Original Message----- 
> From: Joseph Hui [ mailto:Joseph.Hui@exodus.net] 
> Sent: Wednesday, July 10, 2002 3:14 PM 
> To: www-ws-arch@w3.org 
> Cc: hal.lockhart@entegrity.com 
> Subject: "Onion model" explained 
> 
> 
> Hi all, 
> 
> During today's STF telcon I took an action item to 
> explain in the mailing list what the "onion model" 
> that we sometimes referred to in the WG's security 
> related threads was about. 
> 
> So here it goes. 
> 
> The "Onion model," for the lack of a better term, is in 
> essence a grouping of the WSAWG sec reqs for the benefit 
> of prioritizing them for a phased approach in delivering 
> our sec solutions/standards.  (The phased approach came 
> about inconsideration of the time-to-market factor often 
> recited in the WSAWG's discussions.) 
> 
> The model comprises, in descending priority: 
> 
>    Layer 1) Confidentiality, (Data) Integrity, Authentication; 
> 
>          2) Authorization; 
> 
>          3) Non-repudiation; 
> 
>          4) Accessibility 
> 
>          5) The remainder of the WSAWG sec requirements, 
>             including Auditing. 
> 
>    Note that a phase may consist of one or more laysers. 
>    E.g. the first phase may include layer 1 only, or 
>    layers 1 & 2, dependent upon future decisions. 
> 
> Cheers, 
> 
> Joe Hui 
> Exodus, a Cable & Wireless service 
>

Received on Wednesday, 10 July 2002 20:15:57 UTC