RE: Issue 3: What does "identities of communicating parties" mean (AR006.2.1)? from Ahmed, Zahid on 2002-09-18 (www-ws-arch@w3.org from September 2002)

From: Ahmed, Zahid <zahid.ahmed@commerceone.com>
Date: Wed, 18 Sep 2002 14:15:58 -0700
To: www-ws-arch@w3.org
Message-ID: <C1E0143CD365A445A4417083BF6F42CC02F8930F@C1plenaexm07.commerceone.com>

To literally answer the question posed in the subject of this
e-mail thread, it seems that:

Participating web services may need to verify the identities 
of multiple participants involved in a web service activity or in 
a SOAP message exchange. Participants may be applications, 
individuals, organizations, and possibly intermediaries. Such
participants may need to be identified using a range of identity 
tokens with differing levels of security and issuing authorities.

Somme examples of identity tokens are: username/password token, 
binary token, X.509 cert, SAML assertion token, etc.


Zahid Ahmed

-----Original Message-----
From: Hugo Haas [mailto:hugo@w3.org]
Sent: Wednesday, September 18, 2002 10:28 AM
To: www-ws-arch@w3.org
Subject: Issue 3: What does "identities of communicating parties" mean
(AR006.2.1)?



Hi all.

In our task of getting consensus on the requirements document, we
didn't address issue 3[1] about the meaning of "identities of
communicating parties".

AR006.2.1 reads[2]:

| + AR006.2.1 The security framework must enable Authentication
|   for the identities of communicating parties.

Danny's email reads[3]:

| Requirement AR006.2.1 seeks to provide from authentication for the
| identities of communicating parties. The use of the term 'identity' should
| be clarified. As written, this requirement could me that the legal name of
a
| communicating party is to be authenticated, or simply that the identifier,
| whether name, email address, IP address, etc. associated with the
| communication is authenticated. If the meaning is the former, then it
should
| be clarified that anonymous and pseudonymous communications must be
| supported. If the latter (much simpler from a privacy perspective) then
the
| scope of this requirement should be narrowed.

I think that the latter is intended, but some security experts may
disagree.

We should try and get consensus on the interpretation, and then maybe
reword this requirement to better reflect the intent. Danny proposed
to help us with the wording if necessary.

Chairs, could we have that on the agenda for this week's
teleconference? Thank you.

Regards,

Hugo

  1. http://www.w3.org/2002/ws/arch/2/issues/wsa-issues.html#x3
  2. http://www.w3.org/TR/2002/WD-wsa-reqs-20020819#AR006.2.1
  3. http://lists.w3.org/Archives/Public/www-wsa-comments/2002Jun/0001.html
-- 
Hugo Haas - W3C
mailto:hugo@w3.org - http://www.w3.org/People/Hugo/

Received on Wednesday, 18 September 2002 17:15:54 UTC