RE: SOAP Confidentiality and Integrity: Next Step? from Krishna Sankar on 2002-06-19 (www-xkms@w3.org from June 2002)

From: Krishna Sankar <ksankar@cisco.com>
Date: Tue, 18 Jun 2002 21:10:25 -0700
To: <www-ws-arch@w3.org>, <xml-encryption@w3.org>, <3.org@w3.org>, <www-xkms@w3.org>, <reagle@w3.org>
Message-ID: <00e201c21747$3f7abb40$15d3fea9@amer.cisco.com>
Joe,

	We all have been working on many point standards, but the
cohesiveness and the coherence is missing. This is very important
especially in the security aspects. It is long overdue and has been an
obstacle in the web services area.

	In short, I share your urgency in defining a web security (which
is quickly becoming an oxymoron :o() You have our support in clearly and
crisply defining an activity which potentially begins with the
ws-security specification. I do think we need to include the Tokens as
well. We also need to seek convergence - by incorporating the OASIS
security standards - SAML,XACML and XrML. I see this activity as
supporting the future security proposal from the WS-Arch team. Naturally
you have our support for participation as well.

	One question I have is the time boxing. I had raised this
question during the formation of the WS Description group as well. As
far as what I know, the W3C process does not have a provision to time
box any effort. 

	Another question is the formation process - what do we do or
more precisely where do we start ? In [2] you were suggesting
evangelizing/influencing the WS-Arch group. From what I read, in this
e-mail your thoughts are to form a focused WG but still a W3C wg. One of
the concerns I have is the 12-15 months it takes to initiative and
deliver a standard from W3C. I am appreciative of and support the peer
review and the rigor the W3C process brings into a domain. But could we
have a light-weight, accelerated process for W3C standards ? May be this
is a good time to test this. May be we need a process to deliver
something between an amorphous note and a definitive W3C standard. 

Cheers
	

|  -----Original Message-----
|  From: xml-encryption-request@w3.org 
|  [mailto:xml-encryption-request@w3.org] On Behalf Of Joseph Reagle
|  Sent: Tuesday, June 18, 2002 10:24 AM
|  To: www-ws-arch@w3.org
|  Cc: xml-encryption@w3.org; 3.org@w3.org; www-xkms@w3.org
|  Subject: SOAP Confidentiality and Integrity: Next Step?
|  
|  
|  
|  
|  This email is a final step in a thread in how to start work 
|  on providing 
|  confidentiality and integrity for SOAP messages. I've 
|  discused a range of 
|  security issues [1] with a conclusion that this topic 
|  (soap+xmldsig+xenc) 
|  is most pressing; however, I was not able to find agreement 
|  that this issue 
|  should be shoe-horned into an existing WG, instead it should 
|  be part of the 
|  Web Services security. [2]
|  
|  Though I'm relatively ignorant of the ws-arch discussions, 
|  I've heard the 
|  ws-arch WG is considering this issue and will try to have charters 
|  available for work in July [3], but that the immediate issue 
|  might also be 
|  delayed be consideration of the bigger issues. Consequently, 
|  I'd recommend 
|  that a charter for work in the WS Activity be specified with 
|  a scope no 
|  larger than [4] -- and potentially more narrow (e.g., 
|  without tokens). A 
|  "web services security" community does not yet exist (or it 
|  does, but it's 
|  fragmented) and starting work on this immediately not only 
|  commences with 
|  the work, but helps build a community which then can 
|  contribute to the 
|  larger discussion. For instance, because standardized 
|  security components 
|  do not yet exist, specifications such as XKMS [5] may end up 
|  specifying 
|  "one-off" versions in the short term. However, these could 
|  be contributed 
|  to the WS work. We all know somebody who knows somebody who 
|  is in the other 
|  WG, but sometimes that isn't quite enough. <smile/>
|  
|  In conclusion, I advocate a charter with specific and 
|  immediate terms, and 
|  an active recruitment of participants. Please let me know if 
|  and how events 
|  are likely to be otherwise. Thanks!
|  
|  
|  [1] 
|  http://lists.w3.org/Archives/Member/w3c-ac-|
forum/2002AprJun/0022.html
|  [2] 
|  http://lists.w3.org/Archives/Public/www-xenc-xmlp-tf/2002Jun/
0002.html
[3] http://www.w3.org/2002/05/28-ws-cg-irc.txt
[4] 
http://www-106.ibm.com/developerworks/security/library/ws-secure/?dwzone
=security
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobs
pec/html/ws-security.asp
[5] http://lists.w3.org/Archives/Public/www-xkms/2002Jun/0016.html


--
Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
Received on Wednesday, 19 June 2002 00:11:12 UTC