RE: SOAP Confidentiality and Integrity: Next Step?

+1
Ayse

-----Original Message-----
From: jones@research.att.com [mailto:jones@research.att.com]
Sent: Thursday, June 20, 2002 12:13 PM
To: RogerCutler@chevrontexaco.com; dorchard@bea.com; ksankar@cisco.com;
reagle@w3.org
Cc: www-ws-arch@w3.org
Subject: RE: SOAP Confidentiality and Integrity: Next Step?



+1

Mark A. Jones
AT&T Labs
Shannon Laboratory
Room 2A-02
180 Park Ave.
Florham Park, NJ  07932-0971

email: jones@research.att.com
phone: (973) 360-8326
  fax: (973) 236-6453

	From www-ws-arch-request@w3.org Thu Jun 20 11:41 EDT 2002
	X-UIDL: GX)!!>[N!!O/>!!:b0!!
	Delivered-To: jones@research.att.com
	X-Authentication-Warning: mail-pink.research.att.com: postfixfilter set sender to www-ws-arch-request@w3.org using -f
	Resent-Date: Thu, 20 Jun 2002 11:33:53 -0400 (EDT)
	Resent-Message-Id: <200206201533.g5KFXrv28660@frink.w3.org>
	X-Server-Uuid: 4205B5F8-6D44-46D7-8CCE-D53AB8270477
	From: "Cutler, Roger (RogerCutler)" <RogerCutler@chevrontexaco.com>
	To: "'David Orchard'" <dorchard@bea.com>, reagle@w3.org,
	        "'Krishna Sankar'" <ksankar@cisco.com>
	Cc: www-ws-arch@w3.org
	Date: Thu, 20 Jun 2002 08:26:52 -0700
	MIME-Version: 1.0
	X-WSS-ID: 110F2B68507861-03-01
	Content-Transfer-Encoding: 7bit
	Subject: RE: SOAP Confidentiality and Integrity: Next Step?
	Resent-From: www-ws-arch@w3.org
	X-Mailing-List: <www-ws-arch@w3.org> archive/latest/1455
	X-Loop: www-ws-arch@w3.org
	Resent-Sender: www-ws-arch-request@w3.org
	List-Id: <www-ws-arch.w3.org>
	List-Help: <http://www.w3.org/Mail/>
	List-Unsubscribe: <mailto:www-ws-arch-request@w3.org?subject=unsubscribe>
	X-Spam-Status: No, hits=-0.1 required=5.0 tests=SUBJ_ENDS_IN_Q_MARK version=2.20


	For what it is worth, I support the "accelerated" approach ("damn the
	torpedoes", or whatever you said) to getting a security WG charter out.
	Hopefully if work on the architecture and the charter are proceding in
	parallel, by the time the charter actually gets out the door there will be
	enough feedback from the architecture side to make people more comfortable.

	A LOT of people, in and out of the W3C, are waiting very impatiently for
	this work to get done.  Or even started.

	-----Original Message-----
	From: David Orchard [mailto:dorchard@bea.com] 
	Sent: Wednesday, June 19, 2002 3:19 PM
	To: reagle@w3.org; 'Krishna Sankar'
	Cc: www-ws-arch@w3.org
	Subject: RE: SOAP Confidentiality and Integrity: Next Step?





	> -----Original Message-----
	> From: www-ws-arch-request@w3.org [mailto:www-ws-arch-request@w3.org]On
	> Behalf Of Joseph Reagle
	> Sent: Wednesday, June 19, 2002 11:41 AM
	> To: Krishna Sankar; www-ws-arch@w3.org
	> Subject: Re: SOAP Confidentiality and Integrity: Next Step?
	>
	>

	<snip/>
	> > 	Another question is the formation process - what do we do or more 
	> > precisely where do we start ? In [2] you were suggesting 
	> > evangelizing/influencing the WS-Arch group. From what I
	> read, in this
	> > e-mail your thoughts are to form a focused WG but still a
	> W3C wg. One of
	> > the concerns I have is the 12-15 months it takes to initiative and 
	> > deliver a standard from W3C. I am appreciative of and
	> support the peer
	> > review and the rigor the W3C process brings into a domain.
	> But could we
	> > have a light-weight, accelerated process for W3C standards
	> ? May be this
	> > is a good time to test this. May be we need a process to deliver 
	> > something between an amorphous note and a definitive W3C standard.
	>
	> Those discussions do occur, but I suggest that if one wants to move 
	> quickly on this topic one builds the community under the shelter of a 
	> charter (which gives the means of saying "no" and takes care of 
	> intellectual monopoly issues (copyright, patent)) and get going. There 
	> are specs out
	> there that you can use now. If you want the peer review, the
	> dependency
	> management, the IPR safety, etc., it takes time.

	The WSArch wg has decided to form subteams on security and on architecture
	documents, and a schedule that says there will be an arch doc and
	requirements portion of a charter in 4-5 weeks.  We've started usage
	scenarios for authentication, integrity and confidentiality, though they
	aren't yet in the usage scenarios doc.   There are some high level
	requirements around security, and agreed to authentication, integrity and
	confidentiality for the first cut at a charter.

	I don't know what the schedule is for final wg formation, assuming that that
	schedule was met.  I think the process is arch produces reqs, then wsa cg
	produces charter, w3c team produces charter for ac vote, 4 week ac vote,
	w3ct decides on wg and announces.  That seems like at least a 2 month
	process, which would start in september given the august break.  So I guess
	the earliest for wg formation would be early November.  IMO, I have
	reservations about both those schedules (end of july for reqs, November for
	wg formation), but again that's just my opinion.

	On to more of a personal opinion...

	As a member of the ws-arch that has been probably the loudest proponent of
	the "damn the torpedoes and ship a security wg charter before we even do an
	arch document" aka "time to market" approach aka "accelerated process" [1],
	[2], [3], I would say that the WG is generally reticent of that approach.
	There has been continued pushback in the group about needing a more detailed
	architectural or other documents with varied coverage of principles, goals,
	critical success factors, use cases, relationship to semantic web, and more
	functional areas before doing security.  I did support Joseph's earlier
	attempts at getting this work going in a more informal mechanism.  I also
	volunteered to write/edit whatever the group wanted in terms of architecture
	material, requirements, scenarios, etc. to expedite forming a security wg.

	So I'm certainly disappointed that we've been going for over 4 months, and
	we haven't talked about a single specific security requirement (like:
	encrypt attachments, entire messages only, soap bodies? which kinds of
	authentication tokens to support?  Should there be a processing model for
	encryption/signing described and interchanged? etc.).

	At some point, if the group does not want to move quickly on an area, that's
	it's choice (whether explict or not) and part of the price of consensus.
	Analogies of pushing rope come to mind ;-)

	I hope this helps with an understanding of where the ws-arch group is wrt
	security, and as well as some personal observations on how we got to where
	we are.

	Cheers,
	Dave

	[1] http://lists.w3.org/Archives/Public/www-ws-arch/2002Mar/0172.html
	[2] http://lists.w3.org/Archives/Public/www-ws-arch/2002Mar/0300.html
	[3] http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0097.html

Received on Thursday, 20 June 2002 13:45:27 UTC