RE: SOAP Confidentiality and Integrity: Next Step? from Joseph Hui on 2002-06-20 (www-ws-arch@w3.org from June 2002)

From: Joseph Hui <Joseph.Hui@exodus.net>
Date: Wed, 19 Jun 2002 19:27:54 -0700
To: "David Orchard" <dorchard@bea.com>, <reagle@w3.org>, "Krishna Sankar" <ksankar@cisco.com>
Cc: <www-ws-arch@w3.org>
Message-ID: <45258A4365C6B24A9832BFE224837D551D1C5B@SJDCEX01.int.exodus.net>

As the security champion, I do not buy the observations Dave made.

> From: David Orchard [mailto:dorchard@bea.com]
> Sent: Wednesday, June 19, 2002 1:19 PM
[snip]
> On to more of a personal opinion...
[snip]
> So I'm certainly disappointed that we've been going for over 
> 4 months, and
> we haven't talked about a single specific security requirement (like:
> encrypt attachments, entire messages only, soap bodies? which kinds of
> authentication tokens to support?  Should there be a 
> processing model for
> encryption/signing described and interchanged? etc.).

One is always certainly to one's own opinion, but not one's own facts.
The facts are we've got an entire set of WS security requirements,
of which most are now beyond the draft status, and there were many
security threads where live and informed discussions were conducted.
(The www-ws-arh mail archive is all there for everybody that's
interested to check.)
 
> At some point, if the group does not want to move quickly on 
> an area, that's
> it's choice (whether explict or not) and part of the price of 
> consensus.
> Analogies of pushing rope come to mind ;-)

There were valid opinions expressed by both camps on the issue,
backed by sound reasoning.  It wasn't one camp's fault that 
the other had failed to establish a convincing argument.
(Again, anyone is welcome to check the public mail archive to
verify the facts in this regard.)
 
> I hope this helps with an understanding of where the ws-arch 
> group is wrt
> security, and as well as some personal observations on how we 
> got to where we are.

Not at all, because the observations weren't backed by facts.

Checking the mail archive, one should find that the participants
in security discourses were at the forefront of taking initiatives
in driving the process along.  With that, one may observe standards
forums are not where one holds one's breath.  That's just due
process, C'est la vie, ..., whatever, not something many (if 
not all) of us would personally like to see ideally.
How wonderful it would be if we could just shove our thoughts
into a microwave oven and out came the consensus and specs! :-)
Finally, I'd observe that: it'd be most unfortunate if we let
ourselves be frustrated by the due process, and then be tempted
by frustration into foolishness that may be construed (or
misconstrued) as badmouthing one another in public, before
badmouthing is necessary.

Cheers,

Joe Hui
Exodus, a Cable & Wireless service
=======================================================
> 
> Cheers,
> Dave
> 
> [1] http://lists.w3.org/Archives/Public/www-ws-arch/2002Mar/0172.html
> [2] http://lists.w3.org/Archives/Public/www-ws-arch/2002Mar/0300.html
> [3] http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0097.html
> 
>

Received on Wednesday, 19 June 2002 22:27:13 UTC