transcribed flip charts from June 2002 f2f from Christopher Ferris on 2002-06-20 (www-ws-arch@w3.org from June 2002)

From: Christopher Ferris <chrisferris9@netscape.net>
Date: Thu, 20 Jun 2002 09:33:14 -0400 (EDT)
To: www-ws-arch@w3.org
Message-ID: <3D11D947.3070903@netscape.net>
=====================================================
(review of architecture doc outline)

(1) where are the w/s in the doc?
(2) what is the scope of this group's work?
    where do we "draw the line"?
(3) lifecycle? conceptual model?
(4) how to deal with separation of concerns?
(5) utility of the conceptual model currently proposed?
(6) what is the arch metamodel?
    ("ilities" go here), characteristics, aspects

- careful about use of term "service"
- horizontal vs vertical (tilt your head)
|-------------------------|
| Aggregation             |
|-------------------------|
| web services            |
|-------------------------|
| infrastructure services |
|-------------------------|
| infrastructure          |
|-------------------------|
| fundamental bldg blocks |
|-------------------------|

    or

|------------------------------|
| everything else              |
|------------------------------|
| core infrastructure services |
|------------------------------|
| fundamental bldg blocks      |
|------------------------------|

- what is the universe?
- what is this thing?
- where does it fit?
- lifecycle type stuff
- is the web arch == web services arch?

Lessons
- end-to-end stuff addressed up front
    - security, versioning, reliability
- loose vs tight coupling
- assertions; isAs vs ilities
=====================================================
(Glossary review)
- self contained?
- organization?
    - topical?
    - alphabetical?
    - other?
    - functional?
- ilities
- completeness
=====================================================
(Brainstorm scoping of proposed security WG)
Dave - Security framework
    - trust model
    - technological solutions
        - authentication
        - integrity
        - confidentiality
Daniel - not world hunger
Jeff - pick relevant subset of requirements
    - end-to-end at least one path
Roger - influence or authority
Joe - priority six aspects
    1- auth/n, integrity, confidentiality
    2- auth/z
    3- NR
    4- Accessibility
    5- remainder
Heather - not broad scope
    - specific targetted solution
TomC - agrees with Heather
    feedback loop to arch framework
Martin - phase 1, 2, 3
Oisin - life after REC process
DaveO - flexibility of market okay with TimBL
Allen - another structure that is shaped by our architecture
    e.g. security @ message level
    as being an alternative to Joe's "onion"
Daniel - highest priority problems
Doug - WSSWG recognizes shaded boxes we define to specify,
    or do we fill in the blanks?
Joe: do we do threat model or is that a function of the WSSWG?
Jeff - do we pick a couple of use cases and scope by picking
one? end-to-end with specific technology
Martin - +1
Chris - what is an intermediary? is it in scope?
Joe - integrity, confidentiality
DaveO - XMLEncryption is new, maybe omit?
Daniel - low hanging fruit
Joe - message vs channel
DaveO - "process model" problem?
Joe - PM not a problem for channel aspect
=====================================================
(what the chair heard from discussion above)
- Focus on Joe's level 1
    auth/n, integrity, confidentiality
- phased approach
- end-to-end (steel thread)
- message level end-to-end
- pick relevant subset of requirements
- use case driven
=====================================================
(from Martin's breakout group (authentication))

[cust]---(1)--->[t.a.]
       <---------
       ---(2)--->
       <--------
       ---(3)--->
       <---(4)---

(1) ask for credentials
(2) search for flights
(3) book
(4) ask for details (ccc, address, dob) whatever been told by credit
     card company

[customer]---(1)--->[travel agent]
           <---(2)---

(1) option to ask for credentials (challenge/response)
     assume no authentication of customer
     assume TA is known
     assume no delegation
(2) request for credentials

1. preestablishment of identity
   a) two parties do not know eachother
   b) two parties do know eachother

scenarios
1. first time
2. second visit same tx
3. another visit, another tx

issues
diff between identity and trust
once authenticated, amsquerading can happen
role vs personal authentication
point-to-point vs end-to-end

=====================================================
(from DaveO's breakout group (confidentiality))

Issue   1) two parties talking
        known/unknown
    2) privacy

[A] --- CC ---> [B] --- CC ---> [C]
User 
    travel      hotel
         ^
         |
      send credit

      synch      asynch
   | -- HTTP/S -- |
   |              | -- SMTP -- |
   |
Received on Thursday, 20 June 2002 15:40:14 UTC