RE: D-AG006 Security

Should this also include: 
	Authentication (maybe covered by KS 6.4 credentials) and 
	Authorization (is this what KS6.5 assertions intends)  
Joel

-----Original Message-----
From: Krishna Sankar [mailto:ksankar@cisco.com]
Sent: Thursday, March 07, 2002 7:51 PM
To: 'Joseph Hui'; www-ws-arch@w3.org
Subject: RE: D-AG006 Security


Joseph,

	Let me start adding spirit to the discussion (and be the
champion for spirits):

	I think the requirement is a little too general. I would prefer
it to be spelled at some point. So summarizing your message, may be we
could say :

	AG006.1 : Address Integrity
	AG006.2 : Address confidentiality
	AG006.3 : Address transfer of context between web services
	AG006.4 : Address transfer of credentials between web services
	AG006.5 : Address exchange of assertions between web services
(This is SAML's domain. I think it will be good for us to address this
at the architecture level)
	AG006.6 : Address trust models (Everything has a trust model -
either explicit or implicit. We might as well address this. BTW, trust
model is what we could influence the most)
	AG006.7 : Address Privacy 

cheers

 | -----Original Message-----
 | From: www-ws-arch-request@w3.org 
 | [mailto:www-ws-arch-request@w3.org] On Behalf Of Joseph Hui
 | Sent: Thursday, March 07, 2002 5:40 PM
 | To: www-ws-arch@w3.org
 | Subject: D-AG006 Security
 | 
 | 
 | Hi all,
 | 
 | As the volunteered "champion" (during today's telecon) for 
 | one of the WSAWG goals, "AG006 -- addresses the security of 
 | web services across distributed domains and platforms," I 
 | wish to solicit your interest in starting and sustaining a 
 | "spirited" discussion on web services security.  The primary 
 | objective (of the discussion) is to confirm the stated goal 
 | by *rough* consensus, and refine it (the goal, not the 
 | consensus ;-) if necessary.  The secondary objective is to 
 | harvest the upshot of the discussion and turn it into 
 | something we can use in near term for identifying "Critical 
 | Success Factors" -- whatever that may mean to you -- and 
 | requirements. Hopefully, by being mindful of the objectives, 
 | we can keep this thread reasonably focused.  However, please 
 | don't let the objectives adversely constrain your will to 
 | express.  You're welcome to disregard the objectives and 
 | throw in whatever you see fit in the spirit of doing good 
 | for web services security.
 | 
 | To get the ball rolling, let me start with the goal statement itself:
 | 
 |    AG006 -- addresses the security of web services across
 |             distributed domains and platforms.
 | 
 | Q to all: Is the goal set to your satisfaction?  
 |           Too broad, too narrow, too ...?
 | 
 | Answers/comments?
 | 
 | 
 | To flesh out AG006 a bit more in terms of its implications,
 | we can give it another whack at what addressing the web 
 | services security (WSsec) should entail in the architecture 
 | WS-Arch) to be designed.  Based on some previous discussions 
 | fragmented across several threads in www-ws-arch@w3.org, an 
 | assertion can be made that attaining goal AG006 entails 
 | addressing six security aspects in computing:
 |    1) Accessibility;
 |    2) Authentication (of ID and data/messages);
 |    3) Authorization;
 |    4) Confidentiality;
 |    5) (data) Integrity; and
 |    6) Non-repudiation.
 | 
 | Comments?  
 | 
 | 
 | Closely related to security is (the issue of) "trust."
 | We shall have a security framework alright. The question is: 
 | should we include trust modeling as a part of the 
 | framework's design, (e.g.. what trust model(s) to recommend 
 | or adopt for web 
 | services,) thus trust is a part of AG006; or should we deem 
 | "trust" outside the scope of AG006, thus we may need a separate goal?
 | 
 | Answers/comments?
 | 
 | 
 | Also, there was the mention of "privacy" in the charter, 
 | right next to security.  Privacy can mean different things 
 | in different contexts, ranging from preventing one's home 
 | address disclosed to a web merchant from being sold to 
 | junkmailers to keeping one's ID anonymous in transactions. 
 | I wasn't at the WS workshop last April, so have no clue
 | what that was about.  Can someone shed some light on what 
 | the "privacy" is supposed to mean in our WS-Arch context, so 
 | we can determine whether it will be appropriate to lump it 
 | into AG006, or set a separate goal for it, or whatever?
 | 
 | Answers/comments?
 | 
 | 
 | Please chime in.
 | 
 | Thanks,
 | 
 | Joe Hui
 | Exodus, a Cable & Wireless service
 | 
 |

Received on Friday, 8 March 2002 15:23:45 UTC