RE: SOAP Confidentiality and Integrity: Next Step?

I can help on the OASIS convergence issue.  I'm co-chairing the newly
formed Security Standards Joint Committee (SSJC) at OASIS.  We formed
this JC specifically to help address this kind of issue.

I'm also the chair of the Provisioning Services TC @OASIS.  You should
include the Service Provisioning Markup Language (SPML) in the relevant
security markup specifications.  SPML provides the framework for the
creation and revocation of the underlying identify, identity mapping
services and should be the basis for self-service and subscription
management within the reference architecture.

Obviously, we need to talk...

--------------------------------------------------------
Darran Rolls                      http://www.waveset.com
Waveset Technologies Inc          drolls@waveset.com 
(512) 657 8360                  
--------------------------------------------------------


> -----Original Message-----
> From: Krishna Sankar [mailto:ksankar@cisco.com]
> Sent: Tuesday, June 18, 2002 11:10 PM
> To: www-ws-arch@w3.org; xml-encryption@w3.org; 3.org@w3.org; www-
> xkms@w3.org; reagle@w3.org
> Subject: RE: SOAP Confidentiality and Integrity: Next Step?
> 
> 
> Joe,
> 
> 	We all have been working on many point standards, but the
> cohesiveness and the coherence is missing. This is very important
> especially in the security aspects. It is long overdue and has been an
> obstacle in the web services area.
> 
> 	In short, I share your urgency in defining a web security (which
> is quickly becoming an oxymoron :o() You have our support in clearly
and
> crisply defining an activity which potentially begins with the
> ws-security specification. I do think we need to include the Tokens as
> well. We also need to seek convergence - by incorporating the OASIS
> security standards - SAML,XACML and XrML. I see this activity as
> supporting the future security proposal from the WS-Arch team.
Naturally
> you have our support for participation as well.
> 
> 	One question I have is the time boxing. I had raised this
> question during the formation of the WS Description group as well. As
> far as what I know, the W3C process does not have a provision to time
> box any effort.
> 
> 	Another question is the formation process - what do we do or
> more precisely where do we start ? In [2] you were suggesting
> evangelizing/influencing the WS-Arch group. From what I read, in this
> e-mail your thoughts are to form a focused WG but still a W3C wg. One
of
> the concerns I have is the 12-15 months it takes to initiative and
> deliver a standard from W3C. I am appreciative of and support the peer
> review and the rigor the W3C process brings into a domain. But could
we
> have a light-weight, accelerated process for W3C standards ? May be
this
> is a good time to test this. May be we need a process to deliver
> something between an amorphous note and a definitive W3C standard.
> 
> Cheers
> 
> 
> |  -----Original Message-----
> |  From: xml-encryption-request@w3.org
> |  [mailto:xml-encryption-request@w3.org] On Behalf Of Joseph Reagle
> |  Sent: Tuesday, June 18, 2002 10:24 AM
> |  To: www-ws-arch@w3.org
> |  Cc: xml-encryption@w3.org; 3.org@w3.org; www-xkms@w3.org
> |  Subject: SOAP Confidentiality and Integrity: Next Step?
> |
> |
> |
> |
> |  This email is a final step in a thread in how to start work
> |  on providing
> |  confidentiality and integrity for SOAP messages. I've
> |  discused a range of
> |  security issues [1] with a conclusion that this topic
> |  (soap+xmldsig+xenc)
> |  is most pressing; however, I was not able to find agreement
> |  that this issue
> |  should be shoe-horned into an existing WG, instead it should
> |  be part of the
> |  Web Services security. [2]
> |
> |  Though I'm relatively ignorant of the ws-arch discussions,
> |  I've heard the
> |  ws-arch WG is considering this issue and will try to have charters
> |  available for work in July [3], but that the immediate issue
> |  might also be
> |  delayed be consideration of the bigger issues. Consequently,
> |  I'd recommend
> |  that a charter for work in the WS Activity be specified with
> |  a scope no
> |  larger than [4] -- and potentially more narrow (e.g.,
> |  without tokens). A
> |  "web services security" community does not yet exist (or it
> |  does, but it's
> |  fragmented) and starting work on this immediately not only
> |  commences with
> |  the work, but helps build a community which then can
> |  contribute to the
> |  larger discussion. For instance, because standardized
> |  security components
> |  do not yet exist, specifications such as XKMS [5] may end up
> |  specifying
> |  "one-off" versions in the short term. However, these could
> |  be contributed
> |  to the WS work. We all know somebody who knows somebody who
> |  is in the other
> |  WG, but sometimes that isn't quite enough. <smile/>
> |
> |  In conclusion, I advocate a charter with specific and
> |  immediate terms, and
> |  an active recruitment of participants. Please let me know if
> |  and how events
> |  are likely to be otherwise. Thanks!
> |
> |
> |  [1]
> |  http://lists.w3.org/Archives/Member/w3c-ac-|
> forum/2002AprJun/0022.html
> |  [2]
> |  http://lists.w3.org/Archives/Public/www-xenc-xmlp-tf/2002Jun/
> 0002.html
> [3] http://www.w3.org/2002/05/28-ws-cg-irc.txt
> [4]
>
http://www-106.ibm.com/developerworks/security/library/ws-secure/?dwzone
> =security
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobs
> pec/html/ws-security.asp
> [5] http://lists.w3.org/Archives/Public/www-xkms/2002Jun/0016.html
> 
> 
> --
> Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
> W3C Policy Analyst                mailto:reagle@w3.org
> IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
> W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
> 

Received on Wednesday, 19 June 2002 00:36:47 UTC