RE: SOAP Confidentiality and Integrity: Next Step?

>Consequently, I'd recommend that a charter for work in the 
>WS Activity be specified with a scope no larger than [4] -- 
>and potentially more narrow (e.g., without tokens). A 
"web services security" community does not yet exist 
>(or it does, but it's fragmented) and starting work on this 
>immediately not only commences with the work, but helps 
>build a community which then can contribute to the larger 
>discussion.

I agree that we need to specify the charter of a Web Services
Secuirty WG. I would prefer that the scope of this security
group include the authentication of SOAP messages via 
standardize security tokens, in addition to encryption and 
integrity protection of SOAP message payloads. 

Specifically, w.r.t. WS-Security spec [4], we could consider 
the possibility of removing authorization components in SOAP 
headers from the charter since this work is being done in 
other groups such OASIS SAML TC. 

So, deciding what would be the minimal, i.e., core set of
security features pertinent to SOAP based web services and 
how additional security features may be added as security 
extensions to SOAP messages will need to be addressed by this 
group such that production of these additional security
extensions (e.g., SAML extension for SOAP) may be done
by the relevant security working groups (e.g., OASIS SSTC).

I believe that such discussions have been held before
in WS Arch mailing list.

thanks,
Zahid Ahmed


-----Original Message-----
From: Joseph Reagle [mailto:reagle@w3.org]
Sent: Tuesday, June 18, 2002 10:24 AM
To: www-ws-arch@w3.org
Cc: xml-encryption@w3.org; 3.org@w3.org; www-xkms@w3.org
Subject: SOAP Confidentiality and Integrity: Next Step?




This email is a final step in a thread in how to start work on providing 
confidentiality and integrity for SOAP messages. I've discused a range of 
security issues [1] with a conclusion that this topic (soap+xmldsig+xenc) 
is most pressing; however, I was not able to find agreement that this issue 
should be shoe-horned into an existing WG, instead it should be part of the 
Web Services security. [2]

Though I'm relatively ignorant of the ws-arch discussions, I've heard the 
ws-arch WG is considering this issue and will try to have charters 
available for work in July [3], but that the immediate issue might also be 
delayed be consideration of the bigger issues. Consequently, I'd recommend 
that a charter for work in the WS Activity be specified with a scope no 
larger than [4] -- and potentially more narrow (e.g., without tokens). A 
"web services security" community does not yet exist (or it does, but it's 
fragmented) and starting work on this immediately not only commences with 
the work, but helps build a community which then can contribute to the 
larger discussion. For instance, because standardized security components 
do not yet exist, specifications such as XKMS [5] may end up specifying 
"one-off" versions in the short term. However, these could be contributed 
to the WS work. We all know somebody who knows somebody who is in the other 
WG, but sometimes that isn't quite enough. <smile/>

In conclusion, I advocate a charter with specific and immediate terms, and 
an active recruitment of participants. Please let me know if and how events 
are likely to be otherwise. Thanks!


[1] http://lists.w3.org/Archives/Member/w3c-ac-forum/2002AprJun/0022.html
[2] http://lists.w3.org/Archives/Public/www-xenc-xmlp-tf/2002Jun/0002.html
[3] http://www.w3.org/2002/05/28-ws-cg-irc.txt
[4] 
http://www-106.ibm.com/developerworks/security/library/ws-secure/?dwzone=sec
urity
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/
html/ws-security.asp
[5] http://lists.w3.org/Archives/Public/www-xkms/2002Jun/0016.html


--
Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/