D-AG006 Security from Joseph Hui on 2002-03-08 (www-ws-arch@w3.org from March 2002)

From: Joseph Hui <jhui@digisle.net>
Date: Thu, 7 Mar 2002 17:39:48 -0800
To: <www-ws-arch@w3.org>
Message-ID: <C153D39717E5F444B81E7B85018A460B081B2731@ex-sj-5.digisle.com>
Hi all,

As the volunteered "champion" (during today's telecon) for one of the
WSAWG goals, "AG006 -- addresses the security of web services across
distributed domains and platforms," I wish to solicit your interest
in starting and sustaining a "spirited" discussion on web services
security.  The primary objective (of the discussion) is to confirm
the stated goal by *rough* consensus, and refine it (the goal, not
the consensus ;-) if necessary.  The secondary objective is to
harvest the upshot of the discussion and turn it into something
we can use in near term for identifying "Critical Success
Factors" -- whatever that may mean to you -- and requirements.
Hopefully, by being mindful of the objectives, we can keep this
thread reasonably focused.  However, please don't let the
objectives adversely constrain your will to express.  You're
welcome to disregard the objectives and throw in whatever you
see fit in the spirit of doing good for web services security.

To get the ball rolling, let me start with the goal statement itself:

   AG006 -- addresses the security of web services across
            distributed domains and platforms.

Q to all: Is the goal set to your satisfaction?  
          Too broad, too narrow, too ...?

Answers/comments?


To flesh out AG006 a bit more in terms of its implications,
we can give it another whack at what addressing the web 
services security (WSsec) should entail in the architecture 
WS-Arch) to be designed.  Based on some previous discussions
fragmented across several threads in www-ws-arch@w3.org, an
assertion can be made that attaining goal AG006 entails 
addressing six security aspects in computing:
   1) Accessibility;
   2) Authentication (of ID and data/messages);
   3) Authorization;
   4) Confidentiality;
   5) (data) Integrity; and
   6) Non-repudiation.

Comments?  


Closely related to security is (the issue of) "trust."
We shall have a security framework alright. The question is:
should we include trust modeling as a part of the framework's
design, (e.g.. what trust model(s) to recommend or adopt for web 
services,) thus trust is a part of AG006; or should we deem "trust"
outside the scope of AG006, thus we may need a separate goal?

Answers/comments?


Also, there was the mention of "privacy" in the charter, right
next to security.  Privacy can mean different things in
different contexts, ranging from preventing one's home address
disclosed to a web merchant from being sold to junkmailers to
keeping one's ID anonymous in transactions. 
I wasn't at the WS workshop last April, so have no clue
what that was about.  Can someone shed some light on what the
"privacy" is supposed to mean in our WS-Arch context, so we
can determine whether it will be appropriate to lump it into
AG006, or set a separate goal for it, or whatever?

Answers/comments?


Please chime in.

Thanks,

Joe Hui
Exodus, a Cable & Wireless service
Received on Thursday, 7 March 2002 20:40:22 UTC