- From: Krishna Sankar <ksankar@cisco.com>
- Date: Thu, 7 Mar 2002 18:51:21 -0800
- To: "'Joseph Hui'" <jhui@digisle.net>, <www-ws-arch@w3.org>
Joseph, Let me start adding spirit to the discussion (and be the champion for spirits): I think the requirement is a little too general. I would prefer it to be spelled at some point. So summarizing your message, may be we could say : AG006.1 : Address Integrity AG006.2 : Address confidentiality AG006.3 : Address transfer of context between web services AG006.4 : Address transfer of credentials between web services AG006.5 : Address exchange of assertions between web services (This is SAML's domain. I think it will be good for us to address this at the architecture level) AG006.6 : Address trust models (Everything has a trust model - either explicit or implicit. We might as well address this. BTW, trust model is what we could influence the most) AG006.7 : Address Privacy cheers | -----Original Message----- | From: www-ws-arch-request@w3.org | [mailto:www-ws-arch-request@w3.org] On Behalf Of Joseph Hui | Sent: Thursday, March 07, 2002 5:40 PM | To: www-ws-arch@w3.org | Subject: D-AG006 Security | | | Hi all, | | As the volunteered "champion" (during today's telecon) for | one of the WSAWG goals, "AG006 -- addresses the security of | web services across distributed domains and platforms," I | wish to solicit your interest in starting and sustaining a | "spirited" discussion on web services security. The primary | objective (of the discussion) is to confirm the stated goal | by *rough* consensus, and refine it (the goal, not the | consensus ;-) if necessary. The secondary objective is to | harvest the upshot of the discussion and turn it into | something we can use in near term for identifying "Critical | Success Factors" -- whatever that may mean to you -- and | requirements. Hopefully, by being mindful of the objectives, | we can keep this thread reasonably focused. However, please | don't let the objectives adversely constrain your will to | express. You're welcome to disregard the objectives and | throw in whatever you see fit in the spirit of doing good | for web services security. | | To get the ball rolling, let me start with the goal statement itself: | | AG006 -- addresses the security of web services across | distributed domains and platforms. | | Q to all: Is the goal set to your satisfaction? | Too broad, too narrow, too ...? | | Answers/comments? | | | To flesh out AG006 a bit more in terms of its implications, | we can give it another whack at what addressing the web | services security (WSsec) should entail in the architecture | WS-Arch) to be designed. Based on some previous discussions | fragmented across several threads in www-ws-arch@w3.org, an | assertion can be made that attaining goal AG006 entails | addressing six security aspects in computing: | 1) Accessibility; | 2) Authentication (of ID and data/messages); | 3) Authorization; | 4) Confidentiality; | 5) (data) Integrity; and | 6) Non-repudiation. | | Comments? | | | Closely related to security is (the issue of) "trust." | We shall have a security framework alright. The question is: | should we include trust modeling as a part of the | framework's design, (e.g.. what trust model(s) to recommend | or adopt for web | services,) thus trust is a part of AG006; or should we deem | "trust" outside the scope of AG006, thus we may need a separate goal? | | Answers/comments? | | | Also, there was the mention of "privacy" in the charter, | right next to security. Privacy can mean different things | in different contexts, ranging from preventing one's home | address disclosed to a web merchant from being sold to | junkmailers to keeping one's ID anonymous in transactions. | I wasn't at the WS workshop last April, so have no clue | what that was about. Can someone shed some light on what | the "privacy" is supposed to mean in our WS-Arch context, so | we can determine whether it will be appropriate to lump it | into AG006, or set a separate goal for it, or whatever? | | Answers/comments? | | | Please chime in. | | Thanks, | | Joe Hui | Exodus, a Cable & Wireless service | |
Received on Thursday, 7 March 2002 21:52:01 UTC