- From: Damodaran, Suresh <Suresh_Damodaran@stercomm.com>
- Date: Wed, 8 May 2002 08:55:37 -0500
- To: "'Dilber, Ayse, ALASO'" <adilber@att.com>, Joseph Hui <Joseph.Hui@exodus.net>, www-ws-arch@w3.org
Absolutely! Security constraints, processing models, and infrastructure have to be interoperable across a wide spectrum of platforms/programming models/... It needs to be captured. In our experience, interoperability has been the most challenging aspect of making secure e-business work. Cheers, -Suresh -----Original Message----- From: Dilber, Ayse, ALASO [mailto:adilber@att.com] Sent: Wednesday, May 08, 2002 8:13 AM To: Joseph Hui; www-ws-arch@w3.org Subject: RE: D-AR006.7 discussion points Regarding Joe's comments about AT&T's suggestion, since AT&T thinks interoperable security framework is very important for web services, perhaps we need to create a new goal to capture interoperability. However you want to handle it is OK with me as long as it is captured, I don't want to loose it. ayse -----Original Message----- From: Joseph Hui [mailto:Joseph.Hui@exodus.net] Sent: Tuesday, May 07, 2002 5:30 PM To: www-ws-arch@w3.org Subject: RE: D-AR006.7 discussion points > MSFT: To begin with, this should be called out as at a > different level of > abstraction than the first 4 architecturral requirements. You meant D-AR006.2 thru D-AR006.5? > In addition, > this is just a web service, of which there will be many alternatives. ^^^^ "This" referring to ...? > INTEL: Need some explanation about using Public Key > Encryption (PKE), and not using PKI. That would give the chance for some to cry "too detailed, too mechanismed, too ism'ed ..." Wouldn't it? ;0) Anyway, PKE is a security primitive for key exchange and digital signature. PKI is the infrastructure for supporting such practice. They are not competing candidates. > Also, the requirement should have been independent of > any specific technology such as PKE. This sounds politically correct. However, for all practical purpose, PKE stands out as the most viable technology for key exchange. > SYBS: Is it in the charter to identify at such fine grain technologies > to be used in Web Services I don't think granularity of technologies is at issue with D-AR006.7. > W3C: See http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0019.html In or out of scope? I'll leave it to the WG's consensus. > PF: I believe it sufficient that we say that public keys should be used. This may come across to some as dictating mechanism. > That is very different than saying that PKI should be used. The use > of public keys does not require PKI. D-AR006.7 doesn't say or imply PKI should be used. Note the mention of KDC there. > CrossWeave: This implies an implementation of authentication, integrity, and/or > confidentiality. We shouldn't be prescribing implementations. I don't understand how C-AR006.7 could be interpreted this way. > ATT: AT&T suggests to replace the word "include" with "INTEROPERABLE" so > it reads: The security framework must INTEROPERATE with Key Management, > pertaining to PKE and KDC The suggested replacement sounds awkward to me, e.g. IMO it bends the statement so out of whack that the original meaning is lost. >>> What we need is an interoperable framework. Perhaps we need to define another goal to include the interoperability. Joe Hui Exodus, a Cable & Wireless service
Received on Wednesday, 8 May 2002 09:56:17 UTC