RE: Are Footnotes in Scope? from Joseph Hui on 2002-03-28 (www-ws-arch@w3.org from March 2002)

From: Joseph Hui <jhui@digisle.net>
Date: Thu, 28 Mar 2002 09:50:17 -0800
To: "Cutler, Roger (RogerCutler)" <RogerCutler@chevrontexaco.com>, <www-ws-arch@w3.org>
Message-ID: <C153D39717E5F444B81E7B85018A460B081B2793@ex-sj-5.digisle.com>

>  From: Cutler, Roger (RogerCutler) [mailto:RogerCutler@chevrontexaco.com]
[snip]
 
>  AND one wants to provide some proof that the information really is valid and comes from that source. 
 
The proof that "the information really is valid" calls for data Integrity.
 
The proof that the data "comes from that source" calls for endpoint Authentication. 
 
The proof to a third party that the data is valid and could have only come from that
source and nowhere else calls for Non-repudiation.  This case also takes care of
your exchange-rate example.
 
There are known and proven security solutions to the problems in your examples:
message digest (for data Integrity); HMAC for (data Integrity with source 
authentication), and digital signature (for simple Non-repudiation).
 
>  Is this interesting?  In scope?  Possible?
 
Yes to all three.  The issues are covered by D-AG0006 -- security.
 
Cheers,
 
Joe Hui
Exodus, a Cable & Wireless service
===============================

-----Original Message-----
From: Cutler, Roger (RogerCutler) [mailto:RogerCutler@chevrontexaco.com]
Sent: Thursday, March 28, 2002 8:41 AM
To: 'www-ws-arch@w3.org'
Subject: Are Footnotes in Scope?



I had a thought and I don't know whether it is in scope for this group -- or even whether it is useful, possible or trivial.  Let me try it on and see what you folks think:

Suppose one wants has a web service and one wants to include something that is provided by another web service -- AND one wants to provide some proof that the information really is valid and comes from that source.

For example, suppose one wants to express an amount in both dollars and yen, based on an exchange rate at some time.  Further, suppose one wants to guard against trickery based on using a bogus exchange rate.  That is, one wants some way to say, "This exchange rate came from the following mutually respected source" and have some way to ensure that this statement is true.

I can think of two approaches to this: 

1 -- Incorporate some sort of validating information in a block within the message returned by the web service.  As in, "This certifies that the information on this line is guaranteed by Chase Bank, and that this is the same Chase Bank as is registered in Verisign".  Or something along those lines.

2 - Incorporate some sort of information about how the information was obtained in such a way that the receiving party can repeat the query and check the information if it likes.  As in, "This information was received from Chase Bank from the following query -- if you like you can submit that same query and you will get the same answer".

It seems to me that the second possibility is more interesting.  I think that I am talking here about something that is a bit like footnotes, except that they can be verified in an automated way.

Is this interesting?  In scope?  Possible?

Received on Thursday, 28 March 2002 12:50:49 UTC