RE: Following up on XML Security from Krishna Sankar on 2002-06-01 (www-xenc-xmlp-tf@w3.org from June 2002)

From: Krishna Sankar <ksankar@cisco.com>
Date: Fri, 31 May 2002 18:00:06 -0700
To: <reagle@w3.org>, "'Hallam-Baker, Phillip'" <pbaker@verisign.com>, <stephen.farrell@baltimore.ie>
Cc: <w3c-security-ig@w3.org>, <www-xenc-xmlp-tf@w3.org>, <hugo@w3.org>, <asirv@webmethods.com>, <Shivaram.Mysore@sun.com>, <fallside@us.ibm.com>, <dturner@microsoft.com>
Message-ID: <007301c20907$b1cb58b0$b40c47ab@amer.cisco.com>

Hi all,

	I also echo the sentiments expressed here. 

	We have at least two sets of things to take care of 

	a)	A quick short term wg to figure out how XML Signature,
XML Encryption, tokens,... ride on SOAP. WS-Security is a good start,
but would be good to add in the required public group work.

	b)	A holistic Web Services Security - long term work.

	#a) would fit in nicely with XML Encryption and #b) with the
yet-to-be-proposed W3C Security WG.

	I am encouraged by Joe's assertion that #a) could be
incorporated into the charter of XML Signature/XML Encryption and we
could start working within a weeks (the latter is my inference) I think
XML Enc/Signature is a natural fit for #a) than XKMS. That is just my
uninformed opinion.

	I have two questions : 

	a)	What do we do about Trust Models ? Discuss and add as
sections ?

	b)	What about policies and assertions ? Do we consider
XrML, XACML and SAML essentially as tokens/claims ?

	The need of the hour is speed - we should be able to organize
and start working. Also we need to make sure we have a
small-yet-effective-deliverable as our charter.

cheers

|  -----Original Message-----
|  From: w3c-security-ig-request@w3.org 
|  [mailto:w3c-security-ig-request@w3.org] On Behalf Of Joseph Reagle
|  Sent: Friday, May 31, 2002 4:42 PM
|  To: Hallam-Baker, Phillip; 'stephen.farrell@baltimore.ie'
|  Cc: w3c-security-ig@w3.org; www-xenc-xmlp-tf@w3.org; 
|  hugo@w3.org; asirv@webmethods.com; Hallam-Baker, Phillip; 
|  Shivaram.Mysore@Sun.COM; fallside@us.ibm.com; dturner@microsoft.com
|  Subject: Re: Following up on XML Security
|  
|  
|  
|  On Friday 31 May 2002 11:54 am, Hallam-Baker, Phillip wrote:
|  > I think that there are issues that have to be fixed in 
|  both groups, but
|  > that the bulk of the work should be done in XKMS. 
|  Otherwise I agree with
|  > Stephen, except to say that if the work is going to take 
|  place in W3C it
|  > is going to have to start very, very soon.
|  
|  I could start work on new charters for dsig, xenc next week 
|  (and work with 
|  the chairs on XKMS depending on their time).
|  
|  1. There's the question of how basic SOAP headers and 
|  processing with 
|  xlmdsig and xenc. It's already in the scope of XENC charter 
|  to make sure 
|  these things can work together but not to specify them. I think its 
|  reasonable to extend the charter to do so (as mostly done in 
|  [1] sans the 
|  token/kerberos stuff).
|  2. There's the question of tokens and kerberos support. I 
|  don't understand 
|  this quite yet (e.g., in 1.2 why is the UsernameToken above 
|  the Signature, 
|  but a reference to it is in the KeyInfo. Why not locate it 
|  in the KeyInfo?) 
|  I'm not sure where this should be addressed.
|  3. You mentioned a Kerberos KeyInfo. That sounds reasonable 
|  but one of the 
|  things I don't understand, per above, is how this is 
|  different than the 
|  token? Could it be tiny in a short spec? Also, do we imagine every  
|  algorithm and key structure needs to be standardized by the W3C?
|  4. You state, "The Security and SecureConversation issues 
|  have already been 
|  addressed in XKMS insofar as they relate to problems that 
|  any secure web 
|  service must address." Which parts of the XKMS spec, 
|  specifically, do you 
|  mean? Can they be seperated into a different namespace/spec 
|  for easy re-use 
|  or handing off to a WS-Security WG?
|  
|  [1] 
|  http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-se
curity.asp?frame=true

> XKMS is very largely complete, but the issue of layering on a common
web
> services security framework or not inevitably introduces delay.

I consider it pretty close to functionally complete (unless the WG
accepts 
new requirements), but there's still a lot of work to do.

> Already
> there is an expectation that at some point in the future there will be
an
> XKMS layered on whatever becomes of the GXA in whatever forum. So it
is
> likely to be difficult to convince people that a non gxa layered XKMS
> represents a stable industry standard consensus.
>
> Given that the GXA/Whatever work in those areas is going to delay XKMS
> until it is complete the WG might as well begin addressing the issue.

I'm not aware of this depenendency. In what way must XKMS wait for it?
The 
idea is to put out modular specs that can be of service quickly without
too 
many depenencies.

> There are other security issues that have to be considered of course.
The
> ws-policy and ws-privacy components of the GXA for example, however
these
> are going to have a dependence on WSDL while implementers of
application
> specs such as XKMS and SAML can implement without those layers being
> completed and so they could be safely left to the July security group.
> This is also an area that will progress beyond pure security work and
so
> chartering a new group night make sense for that reason.

I agree with this.

Received on Saturday, 1 June 2002 15:46:42 UTC