Re: SOAP headers for xmldsig and xenc

Some thoughts/comments.

David Orchard wrote:

> Some process questions, in no particular order:
> 
> 1. What namespace(s) would we use?  SOAP-SEC uses xmlsoap.org, and I assume
> we'd have to switch to w3.org.


I'd think so.


> 2. What names for specs?  WS-Sec? WS-Security (and another number of
> interesting names) are taken by MSFT.


How 'bout SOAP Security Extensions


> 3. Do you see taking specs and modifying them, with new editors from our
> task force?
> 4. I think that MSFT has updated/changed from SOAP-SEC to WS-Security, so it
> would be worthwhile knowing the reasons.  In particular, I'd like to know if
> there was new or updated thinking.


There are some improvements over SOAP-SEC. It separates out
credentials from integrity (purpose) which is important. Absent
some OOB info, a Signature doesn't really tell you much
about why the sender included it. Is it there solely to
ensure that the message hasn't been tampered by a MITM attack?
Is it there to provide some manner of credentials that the
sender could be authenticated? Is it both?

IMO, there needs to be more work in this area.


> 5. I think that we should get a small list of requirements as well.  Might
> make it easier for WSArch to take any output.


:)

- SOAP C14N needs to be addressed
- Profiling of cypher suites support will also be key.
- what to sign, what not to sign

- when to sign

- when to verify


> 6. Is this a public list?
> 
> Cheers,
> Dave
> 
> 
>>-----Original Message-----
>>From: www-xenc-xmlp-tf-request@w3.org
>>[mailto:www-xenc-xmlp-tf-request@w3.org]On Behalf Of Joseph Reagle
>>Sent: Wednesday, April 03, 2002 12:37 PM
>>To: David Orchard; 'www-xenc-xmlp-tf'
>>Cc: MARUYAMA@jp.ibm.com; Takeshi Imamura; Maryann Hondo
>>Subject: Re: SOAP headers for xmldsig and xenc
>>
>>
>>On Wednesday 03 April 2002 15:11, David Orchard wrote:
>>
>>>I'm interested.
>>>Are there any issues around using or re-using the 2 specs
>>>
>>listed, such as
>>
>>>IP?
>>>
>>For any future work, I consider anything on this xenc-xmlp
>>task force list
>>to under the terms of the xenc or xmlp charters.
>>
>>With respect to existing copyright, on the soap-sec note MS's
>>declaration
>>is very clear [1] and there would be no room for concern on
>>that note.
>>IBM's declaration isn't clear but I wouldn't expect a
>>problem. On Hiroshi's
>>email [2], again, I wouldn't expect a problem -- and I'm sort
>>of hoping
>>someone in Tokyo will volunteer. <smile/> So from the point
>>of view of the
>>copyright, I don't see any major hurdle from starting to work
>>ASAP. It'd be
>>best that in the draft we say that this work is being done in
>>accordance
>>with [3].
>>
>>With respect to existing patents, that's more difficult.
>>However, as I said
>>at first, I expect work on this list to be compatible with
>>the xenc/xmlp
>>charters and the document  should say, "the intended audience of this
>>document is as a contribution to the Web SeSrvices and/or XML
>>Encryption
>>activities." If/when a document was considered as a formal
>>deliverable of
>>some chartered activity, that'd be the time we make sure we have the
>>formalities accounted for.
>>
>>
>>[1] http://www.w3.org/Submission/2001/01/
>>Microsoft hereby grants to the W3C a perpetual, nonexclusive,
>>non-sublicensable, non assignable, royalty-free, world-wide right and
>>license under any Microsoft copyrights in this contribution to copy,
>>publish and distribute the contribution, as well as a right
>>and license of
>>the same scope to any derivative works prepared by the W3C
>>and based on, or
>>incorporating all or part of the contribution.
>>[2]
>>
> http://lists.w3.org/Archives/Public/www-xenc-xmlp-tf/2001Dec/0001.html
> [3] http://www.w3.org/Encryption/2001/Contributor.html#Copyright
> 
> --
> 
> Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
> W3C Policy Analyst                mailto:reagle@w3.org
> IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
> W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
> 
>

Received on Thursday, 4 April 2002 08:08:44 UTC