RE: Issue 3: What does "identities of communicating parties" mean (AR006.2.1)?

I agree with Danny that the terminology is a mess. There should be no
implication that a real world name MUST be included. 
 
I agree with Zahid. Some examples participants are: Requester, Intermediary,
Receipent, Codebase.
 
Hal
 
 -----Original Message-----
From: Ahmed, Zahid [mailto:zahid.ahmed@commerceone.com]
Sent: Wednesday, September 18, 2002 5:16 PM
To: www-ws-arch@w3.org
Subject: RE: Issue 3: What does "identities of communicating parties" mean
(AR006.2.1)?



To literally answer the question posed in the subject of this 
e-mail thread, it seems that: 

Participating web services may need to verify the identities 
of multiple participants involved in a web service activity or in 
a SOAP message exchange. Participants may be applications, 
individuals, organizations, and possibly intermediaries. Such 
participants may need to be identified using a range of identity 
tokens with differing levels of security and issuing authorities. 

Somme examples of identity tokens are: username/password token, 
binary token, X.509 cert, SAML assertion token, etc. 


Zahid Ahmed 

-----Original Message----- 
From: Hugo Haas [ mailto:hugo@w3.org <mailto:hugo@w3.org> ] 
Sent: Wednesday, September 18, 2002 10:28 AM 
To: www-ws-arch@w3.org 
Subject: Issue 3: What does "identities of communicating parties" mean 
(AR006.2.1)? 



Hi all. 

In our task of getting consensus on the requirements document, we 
didn't address issue 3[1] about the meaning of "identities of 
communicating parties". 

AR006.2.1 reads[2]: 

| + AR006.2.1 The security framework must enable Authentication 
|   for the identities of communicating parties. 

Danny's email reads[3]: 

| Requirement AR006.2.1 seeks to provide from authentication for the 
| identities of communicating parties. The use of the term 'identity' should

| be clarified. As written, this requirement could me that the legal name of
a 
| communicating party is to be authenticated, or simply that the identifier,

| whether name, email address, IP address, etc. associated with the 
| communication is authenticated. If the meaning is the former, then it
should 
| be clarified that anonymous and pseudonymous communications must be 
| supported. If the latter (much simpler from a privacy perspective) then
the 
| scope of this requirement should be narrowed. 

I think that the latter is intended, but some security experts may 
disagree. 

We should try and get consensus on the interpretation, and then maybe 
reword this requirement to better reflect the intent. Danny proposed 
to help us with the wording if necessary. 

Chairs, could we have that on the agenda for this week's 
teleconference? Thank you. 

Regards, 

Hugo 

  1. http://www.w3.org/2002/ws/arch/2/issues/wsa-issues.html#x3
<http://www.w3.org/2002/ws/arch/2/issues/wsa-issues.html#x3>  
  2. http://www.w3.org/TR/2002/WD-wsa-reqs-20020819#AR006.2.1
<http://www.w3.org/TR/2002/WD-wsa-reqs-20020819#AR006.2.1>  
  3. http://lists.w3.org/Archives/Public/www-wsa-comments/2002Jun/0001.html
<http://lists.w3.org/Archives/Public/www-wsa-comments/2002Jun/0001.html>  
-- 
Hugo Haas - W3C 
mailto:hugo@w3.org <mailto:hugo@w3.org>  - http://www.w3.org/People/Hugo/
<http://www.w3.org/People/Hugo/>  

Received on Monday, 23 September 2002 14:08:07 UTC