RE: D-AR006.7 discussion points from Joseph Hui on 2002-05-07 (www-ws-arch@w3.org from May 2002)

From: Joseph Hui <Joseph.Hui@exodus.net>
Date: Tue, 7 May 2002 14:29:38 -0700
To: <www-ws-arch@w3.org>
Message-ID: <45258A4365C6B24A9832BFE224837D551D1BEB@SJDCEX01.int.exodus.net>

> MSFT: To begin with, this should be called out as at a 
> different level of
> abstraction than the first 4 architecturral requirements. 

You meant D-AR006.2 thru D-AR006.5?

> In addition,
> this is just a web service, of which there will be many alternatives.
  ^^^^ "This" referring to ...?

> INTEL: Need some explanation about using Public Key 
> Encryption (PKE), and not using PKI. 

That would give the chance for some to cry "too detailed, too
mechanismed, too ism'ed ..."  Wouldn't it? ;0)  
Anyway, PKE is a security primitive for key exchange and digital
signature.  PKI is the infrastructure for supporting such practice.
They are not competing candidates.

> Also, the requirement should have been independent of 
> any specific technology such as PKE.

This sounds politically correct.  However, for all practical purpose,
PKE stands out as the most viable technology for key exchange.

> SYBS: Is it in the charter to identify at such fine grain technologies
> to be used in Web Services

I don't think granularity of technologies is at issue with D-AR006.7.

> W3C: See http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0019.html

In or out of scope?  I'll leave it to the WG's consensus.

> PF: I believe it sufficient that we say that public keys should be used.

This may come across to some as dictating mechanism.

> That is very different than saying that PKI should be used.  The use
> of public keys does not require PKI.

D-AR006.7 doesn't say or imply PKI should be used.  Note the mention
of KDC there.

> CrossWeave: This implies an implementation of authentication, integrity, and/or
> confidentiality.  We shouldn't be prescribing implementations.

I don't understand how C-AR006.7 could be interpreted this way.

> ATT: AT&T suggests to replace the word "include" with "INTEROPERABLE" so
> it reads: The security framework must INTEROPERATE with Key Management,
> pertaining to PKE and KDC

The suggested replacement sounds awkward to me, e.g. IMO it bends the 
statement so out of whack that the original meaning is lost.

Joe Hui
Exodus, a Cable & Wireless service

Received on Tuesday, 7 May 2002 17:29:19 UTC