- From: Hal Lockhart <hal.lockhart@entegrity.com>
- Date: Mon, 23 Sep 2002 14:05:20 -0400
- To: "'Ahmed, Zahid'" <zahid.ahmed@commerceone.com>, www-ws-arch@w3.org
- Message-ID: <899128A30EEDD1118FC900A0C9C74A3401034267@bigbird.gradient.com>
I agree with Danny that the terminology is a mess. There should be no implication that a real world name MUST be included. I agree with Zahid. Some examples participants are: Requester, Intermediary, Receipent, Codebase. Hal -----Original Message----- From: Ahmed, Zahid [mailto:zahid.ahmed@commerceone.com] Sent: Wednesday, September 18, 2002 5:16 PM To: www-ws-arch@w3.org Subject: RE: Issue 3: What does "identities of communicating parties" mean (AR006.2.1)? To literally answer the question posed in the subject of this e-mail thread, it seems that: Participating web services may need to verify the identities of multiple participants involved in a web service activity or in a SOAP message exchange. Participants may be applications, individuals, organizations, and possibly intermediaries. Such participants may need to be identified using a range of identity tokens with differing levels of security and issuing authorities. Somme examples of identity tokens are: username/password token, binary token, X.509 cert, SAML assertion token, etc. Zahid Ahmed -----Original Message----- From: Hugo Haas [ mailto:hugo@w3.org <mailto:hugo@w3.org> ] Sent: Wednesday, September 18, 2002 10:28 AM To: www-ws-arch@w3.org Subject: Issue 3: What does "identities of communicating parties" mean (AR006.2.1)? Hi all. In our task of getting consensus on the requirements document, we didn't address issue 3[1] about the meaning of "identities of communicating parties". AR006.2.1 reads[2]: | + AR006.2.1 The security framework must enable Authentication | for the identities of communicating parties. Danny's email reads[3]: | Requirement AR006.2.1 seeks to provide from authentication for the | identities of communicating parties. The use of the term 'identity' should | be clarified. As written, this requirement could me that the legal name of a | communicating party is to be authenticated, or simply that the identifier, | whether name, email address, IP address, etc. associated with the | communication is authenticated. If the meaning is the former, then it should | be clarified that anonymous and pseudonymous communications must be | supported. If the latter (much simpler from a privacy perspective) then the | scope of this requirement should be narrowed. I think that the latter is intended, but some security experts may disagree. We should try and get consensus on the interpretation, and then maybe reword this requirement to better reflect the intent. Danny proposed to help us with the wording if necessary. Chairs, could we have that on the agenda for this week's teleconference? Thank you. Regards, Hugo 1. http://www.w3.org/2002/ws/arch/2/issues/wsa-issues.html#x3 <http://www.w3.org/2002/ws/arch/2/issues/wsa-issues.html#x3> 2. http://www.w3.org/TR/2002/WD-wsa-reqs-20020819#AR006.2.1 <http://www.w3.org/TR/2002/WD-wsa-reqs-20020819#AR006.2.1> 3. http://lists.w3.org/Archives/Public/www-wsa-comments/2002Jun/0001.html <http://lists.w3.org/Archives/Public/www-wsa-comments/2002Jun/0001.html> -- Hugo Haas - W3C mailto:hugo@w3.org <mailto:hugo@w3.org> - http://www.w3.org/People/Hugo/ <http://www.w3.org/People/Hugo/>
Received on Monday, 23 September 2002 14:08:07 UTC