Re: Following up on XML Security from Stephen Farrell on 2002-05-31 (www-xenc-xmlp-tf@w3.org from May 2002)

From: Stephen Farrell <stephen.farrell@baltimore.ie>
Date: Fri, 31 May 2002 11:18:54 +0100
To: reagle@w3.org
CC: w3c-security-ig@w3.org, www-xenc-xmlp-tf@w3.org, hugo@w3.org, asirv@webmethods.com, pbaker@verisign.com, Shivaram.Mysore@Sun.COM, fallside@us.ibm.com, dturner@microsoft.com, xme <stephen.farrell@baltimore.ie>
Message-ID: <3CF74E0E.857F3EE6@baltimore.ie>

Joseph,

Its good to see this progressing.

I'd argue for avenue #1 for tackling the immediate requirement though
clearly care is needed to ensure that the scope isn't too broad.

I think avenue #2 still needs to be followed regardless of how the
immediate requirement is handled since there will (IMO) be a need
for a much broader view of web services security that can encompass
e.g. anti-DoS approaches. 

Having xenc or xkms provide the mechanism and a ws wg write up how 
and when to use the mechanism sounds about right.

Also, I'd be surprised if avenue #2 could really get started in July (but
great, if so!), and when they start one thing they'll have to tackle
is the relationship with the xrml/xacml/saml and other work in oasis
which might delay things 'till the end of the summer all by itself;-)

Finally, I could argue either way as to whether xenc or xkms is the
better wg, but on balance I'd lean toward xkms since I see xkms as
being between xenc and soap in the stack, so maybe the xkms interested
parties are more likely to interested. One option would be to poll the 
two wgs and see which is the more enthusiastic.

Stephen.

Joseph Reagle wrote:
> 
> After the discussion regarding the "XML Security Horizon" (at the AC
> meeting and elsewhere) the obvious question is how to best satisfy the
> immediate requirement for integrating dsig, xenc, and SOAP. This *should*
> be straightforward and I've encouraged discussion but evidently absent this
> work being explicitly part of a chartered activity there won't be much
> progress because of IPR concerns.
> 
> There are two potential avenues.
> 1. Expand the charter of an existing WG. xenc and xkms have been offered as
> potential candidates. The charters for xenc, xmldsig, and xkms are all due
> a revision... If we pursue this path, I favor enlarging the scope of xenc
> since it is already concerned with working with xmldsig in scenarios like
> SOAP, and if there are any difficult parts of the work, it probably will be
> related to the attachment/detachment of payloads under signature, which is
> something the xenc folks are tackling with respect to [1].
> 2. I understand the WS Arch WG should be proposing a charter for a
> full-blood web service security WG. I understand they are aiming for end
> July.
> 
> Anyone with thoughts on which specific option you prefer, or expectations
> regarding the timing of option 2?
> 
> [1] http://www.w3.org/Encryption/2001/Drafts/xmlenc-decrypt.html
> 
> --
> 
> Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
> W3C Policy Analyst                mailto:reagle@w3.org
> IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
> W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com

Received on Friday, 31 May 2002 06:21:26 UTC