RE: D-AR006.7 discussion points

are we in agreement then to create a new goal to capture interoperability?
ayse

-----Original Message-----
From: Damodaran, Suresh [mailto:Suresh_Damodaran@stercomm.com]
Sent: Wednesday, May 08, 2002 9:56 AM
To: Dilber, Ayse, ALASO; Joseph Hui; www-ws-arch@w3.org
Subject: RE: D-AR006.7 discussion points


Absolutely! Security constraints, processing models, and infrastructure
have to be interoperable across a wide spectrum of 
platforms/programming models/... It needs to be captured.
In our experience, interoperability has been the most challenging
aspect of making secure e-business work. 

Cheers,
-Suresh

-----Original Message-----
From: Dilber, Ayse, ALASO [mailto:adilber@att.com]
Sent: Wednesday, May 08, 2002 8:13 AM
To: Joseph Hui; www-ws-arch@w3.org
Subject: RE: D-AR006.7 discussion points


Regarding Joe's comments about AT&T's suggestion, since AT&T thinks
interoperable security framework is very important for web services, perhaps
we need to create a new goal to capture interoperability.  However you want
to handle it is OK with me as long as it is captured, I don't want to loose
it.
ayse


-----Original Message-----
From: Joseph Hui [mailto:Joseph.Hui@exodus.net]
Sent: Tuesday, May 07, 2002 5:30 PM
To: www-ws-arch@w3.org
Subject: RE: D-AR006.7 discussion points


> MSFT: To begin with, this should be called out as at a 
> different level of
> abstraction than the first 4 architecturral requirements. 

You meant D-AR006.2 thru D-AR006.5?

> In addition,
> this is just a web service, of which there will be many alternatives.
  ^^^^ "This" referring to ...?

> INTEL: Need some explanation about using Public Key 
> Encryption (PKE), and not using PKI. 

That would give the chance for some to cry "too detailed, too
mechanismed, too ism'ed ..."  Wouldn't it? ;0)  
Anyway, PKE is a security primitive for key exchange and digital
signature.  PKI is the infrastructure for supporting such practice.
They are not competing candidates.

> Also, the requirement should have been independent of 
> any specific technology such as PKE.

This sounds politically correct.  However, for all practical purpose,
PKE stands out as the most viable technology for key exchange.

> SYBS: Is it in the charter to identify at such fine grain technologies
> to be used in Web Services

I don't think granularity of technologies is at issue with D-AR006.7.

> W3C: See http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0019.html

In or out of scope?  I'll leave it to the WG's consensus.

> PF: I believe it sufficient that we say that public keys should be used.

This may come across to some as dictating mechanism.

> That is very different than saying that PKI should be used.  The use
> of public keys does not require PKI.

D-AR006.7 doesn't say or imply PKI should be used.  Note the mention
of KDC there.

> CrossWeave: This implies an implementation of authentication, integrity,
and/or
> confidentiality.  We shouldn't be prescribing implementations.

I don't understand how C-AR006.7 could be interpreted this way.

> ATT: AT&T suggests to replace the word "include" with "INTEROPERABLE" so
> it reads: The security framework must INTEROPERATE with Key Management,
> pertaining to PKE and KDC

The suggested replacement sounds awkward to me, e.g. IMO it bends the 
statement so out of whack that the original meaning is lost.
>>> What we need is an interoperable framework.  Perhaps we need to define
another goal to include the interoperability.

Joe Hui
Exodus, a Cable & Wireless service

Received on Thursday, 9 May 2002 15:21:14 UTC