SOAP Confidentiality and Integrity: What do we have now?

Hello All,

Where exactly do we stand in terms of existing proposals (W3C Notes,
additional specs, etc) that offer confidentiality and integrity for SOAP
messages? We have [1], which has been used in practice by some of RSA's
customers. Is this is only existing piece of work on the subject?

I am referring to proposed specifications on how one might go about
encrypting and/or signing portions of a SOAP document using XML Signature
and XML Encryption.

After re-reading [1] below, I think it is a good place to start since it
does propose a namespace for secure extensions to SOAP. My guess from a
practical implementation point of view is that if an equivalent 'SOAP-enc'
proposal/Note was generated, even as a note, this would provide a starting
point and take some of the heat off of the urgency to roll the contents of
[1] into 'secure web services' working group or even a smaller SOAP security
WG.

I see the problem of "how do I use XML Signature an Encryption with a SOAP
message" as separate and distinct from "How do I secure my web service". One
problem is of course a subset of the other, but why wait for the smaller
problem to be solved within a larger, process-laden working group when the
smaller problem can be solved quickly (shortest job first) and then the
results of these two notes can be brought in to the larger "Secure Web
services WG" and rolled in to the larger solution.

This is just an observation that I had, there may be constraints that I'm
not seeing, if so, please let me know


[1] http://www.w3.org/TR/SOAP-dsig/

Regards,

Blake Dournaee
Toolkit Applications Engineer
RSA Security
 
"The only thing I know is that I know nothing" - Socrates
 
 


-----Original Message-----
From: Joseph Hui [mailto:Joseph.Hui@exodus.net]
Sent: Wednesday, June 19, 2002 9:44 PM
To: Krishna Sankar; www-ws-arch@w3.org; xml-encryption@w3.org;
www-xkms@w3.org; reagle@w3.org
Subject: RE: SOAP Confidentiality and Integrity: Next Step?



Krishna,

I'm by no means opposed to Joseph Reagle's proposal or the
formation of a new WS or SOAP security WG, which happens to
be in line with what Dave Orchard and some others were pushing
and receiving pushback.  (I as the sec champion would rather
be as neutral as possible on the issue, and stick with
shepherding the process with technical analysis and clarification
where appropriate.)  There were some concrete steps we were
slated to take in this area as an upshot of the Paris F2F.
For now I'd rather not jump the gun here before Chris the
chair's cue on the matter.

My messages were quite clear and simple, I think: 1) a rebuttal
to Dave Orchard's "observations" and mis-characterization of
the hitherto efforts and accomplishments in the security front
within WSAWG; and 2) a word of caution to arrest a potential
slide into finger pointing.  

Cheers, 

Joe Hui
Exodus, a Cable & Wireless service
=================================================

> -----Original Message-----
> From: Krishna Sankar [mailto:ksankar@cisco.com]
> Sent: Wednesday, June 19, 2002 8:52 PM
> To: www-ws-arch@w3.org; xml-encryption@w3.org; www-xkms@w3.org;
> reagle@w3.org
> Subject: RE: SOAP Confidentiality and Integrity: Next Step?
> 
> 
> 
> Joseph Hui,
> 
> 	I have been observing the WS-Arch security related proceedings
> with interest and concern. On one side we are doing the right
> peer-review and the disciplined-rigorous approach, which is 
> good. OTOH,
> it is a process by a committee, which means we will make some
> compromises and would take time. You know how long we took 
> just to agree
> on definitions.
> 
> 	Usually I do not agree with Dave Orchard that easily, but on
> this occasion I do agree with him. Any W3C effort - as a result of the
> WS-Arch definition in the security arena - would be able to 
> start at the
> earliest by Nov 2002 which means any standard to the CR level would be
> Nov 2003.
> 
> 	From my understanding, what Joseph Reagle is attempting to do (I
> also support him on this) is to achieve a standardized way 
> for integrity
> & confidentiality for SOAP ; I would add the transport of 
> tokens (a.k.a
> SAML assertions, Kerberos Tickets,...) over SOAP as well into this
> effort. This clearly requires a light weight and faster 
> process than the
> yet-to-be-proposed Security initiative by the WS-Arch group. Remember,
> if the question was the other way round - i.e. if we want a security
> architecture for web services that envelopes secure conversation,
> policies, ... (like the security arch paper from IBM et al) my answer
> would be different, in fact opposite !
> 
> 	The proposed mini-group (let us call it SOAP Security WG)
> actually has a lot of synergy with the yet-to-be-proposed WS-Security
> WG. It relieves us - the WS-Arch group of the daily trifles and the
> urgency of defining a short term deliverable (to plug the leaks -
> literally !) and it frees the SOAP Security WG of defining an all
> encompassing comprehensive security architecture. The best of both
> worlds !
> 
> cheers
> 
> 

Received on Thursday, 20 June 2002 14:45:51 UTC