RE: D-AG006 Security

+1
Abbie

-----Original Message-----
From: David Orchard [mailto:dorchard@bea.com]
Sent: Wednesday, May 08, 2002 5:36 PM
To: 'Anne Thomas Manes'; 'Mark Baker'; 'Darran Rolls'
Cc: 'Dilber, Ayse, ALASO'; 'Joseph Hui'; 'Edgar, Gerald'; Barbir, Abbie
[CAR:1A00:EXCH]; 'Allen Brown'; www-ws-arch@w3.org
Subject: RE: D-AG006 Security


Anne,

Could you live with doing message integrity, authentication (credential
exchange), confidentiality, trust model description as our first security
WG, with a plan to do the SAML/XACML artifact passing in a second version?
This seems to be a great 80/20 point for our first cut at requirements, and
is what I proposed a few (many?) emails ago.

Agreed that WS-Security may be a good start.  I'm not as worried about the
fact that it's not a standard, but more whether msft/ibm/verisign want to
suggest ws-security be used.  They may have IPR concerns with W3C IP policy.
I figure we get the security wg going, and then ask the WG to evaluate the
best solutions available for it's use.  If WS-Security isn't available, then
it may have to create something different, but hopefully that won't happen.

Cheers,
Dave

> -----Original Message-----
> From: www-ws-arch-request@w3.org [mailto:www-ws-arch-request@w3.org]On
> Behalf Of Anne Thomas Manes
> Sent: Wednesday, May 08, 2002 2:29 PM
> To: Mark Baker; Darran Rolls
> Cc: Anne Thomas Manes; David Orchard; Dilber, Ayse, ALASO; Joseph Hui;
> Edgar, Gerald; Abbie Barbir; Allen Brown; www-ws-arch@w3.org
> Subject: RE: D-AG006 Security
>
>
> Mark,
>
> The problem does not already have a solution. There are a number of
> standards that will be cited by this working group (XML Signature, XML
> Encryption, XKMS, SAML, XACML, etc.), but there's no standard
> that ties
> these standards to Web services and SOAP. We need a standard
> that defines
> how to sign all or part of a SOAP message, how to represent the XML
> signature in a SOAP message, how to obtain the keys necessary
> to decrypt the
> message, how to pass credentials in a SOAP message, and how
> to represent
> credential delegation in a SOAP message, etc., etc.. The best
> specification
> at our disposal is IBM/Microsoft/Verisign's WS-Security, but
> it isn't a
> standard. And it doesn't talk about how to pass SAML
> assertions or XACML
> policies in a SOAP message. It doesn't tie in XKMS. That's
> why we need a
> working group.
>
> Anne
>
> > -----Original Message-----
> > From: www-ws-arch-request@w3.org
> [mailto:www-ws-arch-request@w3.org]On
> > Behalf Of Mark Baker
> > Sent: Wednesday, May 08, 2002 4:26 PM
> > To: Darran Rolls
> > Cc: Mark Baker; Anne Thomas Manes; David Orchard; Dilber,
> Ayse, ALASO;
> > Joseph Hui; Edgar, Gerald; Abbie Barbir; Allen Brown;
> www-ws-arch@w3.org
> > Subject: Re: D-AG006 Security
> >
> >
> > On Wed, May 08, 2002 at 02:12:27PM -0500, Darran Rolls wrote:
> > > Sounds like a potential part of the charter wording
> "ensuring reuse of
> > > existing web service security standards..."
> >
> > That would be good too, in case we miss any.  But do we really want
> > to charter a WG only to find out that the problem already has a
> > solution?
> >
> > As I said on our very first call, I strongly believe that we don't
> > have as much work to do as most WG members might believe, at least
> > for some areas (not all).  I request the opportunity to demonstrate
> > this.
> >
> > MB
> > --
> > Mark Baker, Chief Science Officer, Planetfred, Inc.
> > Ottawa, Ontario, CANADA.      mbaker@planetfred.com
> > http://www.markbaker.ca   http://www.planetfred.com
> >
>
>

Received on Wednesday, 8 May 2002 17:48:52 UTC