RE: D-AG006 Security

> -----Original Message-----
> From: Krishna Sankar [mailto:ksankar@cisco.com]
[snip]
>  | 2. You have described the techniques one may use to secure
>  | *any* web service usage scenario. It would be useful to see 
>  | whether there are categories of usage scenarios where some 
>  | specific combination of techniques will make sense. For 
>  | example, should accessing a "weather info service," be 
>  | secured using authorization, authentication? Should the 
>  | weather info be ensured to be authentic and unaltered?
>  | Same questions for sending in a bill payment to a bank from
>  | a customer. If there are many categories, then we may see
>  | how to satisfy all of them in a generic way. Alternately,
>  | we may suggest techniques that may be generically adopted.
>  | 
> <KS>
> 	I do not think we should get into this. For example we could
> describe security 1-10 or weak, medium or strong or ... Again the
> relative strengths or other similar grading attributes are domain
> specific i.e. a weak authC in one domain might be the 
> strongest authC in
> another domain.
>
> 	IMHO, we would define and identify the various mechanisms and
> leave the interpretations to the domains/applications.

Agreed.  The WS-Arch doesn't do mechanisms, where vendors can max
out their ingenuities to differentiate their products.

Joe Hui
Exodus, a Cable & Wireless service

Received on Friday, 8 March 2002 21:19:22 UTC