- From: Joseph Hui <Joseph.Hui@exodus.net>
- Date: Wed, 19 Jun 2002 21:43:59 -0700
- To: "Krishna Sankar" <ksankar@cisco.com>, <www-ws-arch@w3.org>, <xml-encryption@w3.org>, <www-xkms@w3.org>, <reagle@w3.org>
Krishna, I'm by no means opposed to Joseph Reagle's proposal or the formation of a new WS or SOAP security WG, which happens to be in line with what Dave Orchard and some others were pushing and receiving pushback. (I as the sec champion would rather be as neutral as possible on the issue, and stick with shepherding the process with technical analysis and clarification where appropriate.) There were some concrete steps we were slated to take in this area as an upshot of the Paris F2F. For now I'd rather not jump the gun here before Chris the chair's cue on the matter. My messages were quite clear and simple, I think: 1) a rebuttal to Dave Orchard's "observations" and mis-characterization of the hitherto efforts and accomplishments in the security front within WSAWG; and 2) a word of caution to arrest a potential slide into finger pointing. Cheers, Joe Hui Exodus, a Cable & Wireless service ================================================= > -----Original Message----- > From: Krishna Sankar [mailto:ksankar@cisco.com] > Sent: Wednesday, June 19, 2002 8:52 PM > To: www-ws-arch@w3.org; xml-encryption@w3.org; www-xkms@w3.org; > reagle@w3.org > Subject: RE: SOAP Confidentiality and Integrity: Next Step? > > > > Joseph Hui, > > I have been observing the WS-Arch security related proceedings > with interest and concern. On one side we are doing the right > peer-review and the disciplined-rigorous approach, which is > good. OTOH, > it is a process by a committee, which means we will make some > compromises and would take time. You know how long we took > just to agree > on definitions. > > Usually I do not agree with Dave Orchard that easily, but on > this occasion I do agree with him. Any W3C effort - as a result of the > WS-Arch definition in the security arena - would be able to > start at the > earliest by Nov 2002 which means any standard to the CR level would be > Nov 2003. > > From my understanding, what Joseph Reagle is attempting to do (I > also support him on this) is to achieve a standardized way > for integrity > & confidentiality for SOAP ; I would add the transport of > tokens (a.k.a > SAML assertions, Kerberos Tickets,...) over SOAP as well into this > effort. This clearly requires a light weight and faster > process than the > yet-to-be-proposed Security initiative by the WS-Arch group. Remember, > if the question was the other way round - i.e. if we want a security > architecture for web services that envelopes secure conversation, > policies, ... (like the security arch paper from IBM et al) my answer > would be different, in fact opposite ! > > The proposed mini-group (let us call it SOAP Security WG) > actually has a lot of synergy with the yet-to-be-proposed WS-Security > WG. It relieves us - the WS-Arch group of the daily trifles and the > urgency of defining a short term deliverable (to plug the leaks - > literally !) and it frees the SOAP Security WG of defining an all > encompassing comprehensive security architecture. The best of both > worlds ! > > cheers > >
Received on Thursday, 20 June 2002 00:43:15 UTC