- From: Dournaee, Blake <bdournaee@rsasecurity.com>
- Date: Thu, 20 Jun 2002 11:52:28 -0700
- To: "'Joseph Hui'" <Joseph.Hui@exodus.net>, Krishna Sankar <ksankar@cisco.com>, www-ws-arch@w3.org, xml-encryption@w3.org, www-xkms@w3.org, reagle@w3.org
Hello All, Where exactly do we stand in terms of existing proposals (W3C Notes, additional specs, etc) that offer confidentiality and integrity for SOAP messages? We have [1], which has been used in practice by some of RSA's customers. Is this is only existing piece of work on the subject? I am referring to proposed specifications on how one might go about encrypting and/or signing portions of a SOAP document using XML Signature and XML Encryption. After re-reading [1] below, I think it is a good place to start since it does propose a namespace for secure extensions to SOAP. My guess from a practical implementation point of view is that if an equivalent 'SOAP-enc' proposal/Note was generated, even as a note, this would provide a starting point and take some of the heat off of the urgency to roll the contents of [1] into 'secure web services' working group or even a smaller SOAP security WG. I see the problem of "how do I use XML Signature an Encryption with a SOAP message" as separate and distinct from "How do I secure my web service". One problem is of course a subset of the other, but why wait for the smaller problem to be solved within a larger, process-laden working group when the smaller problem can be solved quickly (shortest job first) and then the results of these two notes can be brought in to the larger "Secure Web services WG" and rolled in to the larger solution. This is just an observation that I had, there may be constraints that I'm not seeing, if so, please let me know [1] http://www.w3.org/TR/SOAP-dsig/ Regards, Blake Dournaee Toolkit Applications Engineer RSA Security "The only thing I know is that I know nothing" - Socrates -----Original Message----- From: Joseph Hui [mailto:Joseph.Hui@exodus.net] Sent: Wednesday, June 19, 2002 9:44 PM To: Krishna Sankar; www-ws-arch@w3.org; xml-encryption@w3.org; www-xkms@w3.org; reagle@w3.org Subject: RE: SOAP Confidentiality and Integrity: Next Step? Krishna, I'm by no means opposed to Joseph Reagle's proposal or the formation of a new WS or SOAP security WG, which happens to be in line with what Dave Orchard and some others were pushing and receiving pushback. (I as the sec champion would rather be as neutral as possible on the issue, and stick with shepherding the process with technical analysis and clarification where appropriate.) There were some concrete steps we were slated to take in this area as an upshot of the Paris F2F. For now I'd rather not jump the gun here before Chris the chair's cue on the matter. My messages were quite clear and simple, I think: 1) a rebuttal to Dave Orchard's "observations" and mis-characterization of the hitherto efforts and accomplishments in the security front within WSAWG; and 2) a word of caution to arrest a potential slide into finger pointing. Cheers, Joe Hui Exodus, a Cable & Wireless service ================================================= > -----Original Message----- > From: Krishna Sankar [mailto:ksankar@cisco.com] > Sent: Wednesday, June 19, 2002 8:52 PM > To: www-ws-arch@w3.org; xml-encryption@w3.org; www-xkms@w3.org; > reagle@w3.org > Subject: RE: SOAP Confidentiality and Integrity: Next Step? > > > > Joseph Hui, > > I have been observing the WS-Arch security related proceedings > with interest and concern. On one side we are doing the right > peer-review and the disciplined-rigorous approach, which is > good. OTOH, > it is a process by a committee, which means we will make some > compromises and would take time. You know how long we took > just to agree > on definitions. > > Usually I do not agree with Dave Orchard that easily, but on > this occasion I do agree with him. Any W3C effort - as a result of the > WS-Arch definition in the security arena - would be able to > start at the > earliest by Nov 2002 which means any standard to the CR level would be > Nov 2003. > > From my understanding, what Joseph Reagle is attempting to do (I > also support him on this) is to achieve a standardized way > for integrity > & confidentiality for SOAP ; I would add the transport of > tokens (a.k.a > SAML assertions, Kerberos Tickets,...) over SOAP as well into this > effort. This clearly requires a light weight and faster > process than the > yet-to-be-proposed Security initiative by the WS-Arch group. Remember, > if the question was the other way round - i.e. if we want a security > architecture for web services that envelopes secure conversation, > policies, ... (like the security arch paper from IBM et al) my answer > would be different, in fact opposite ! > > The proposed mini-group (let us call it SOAP Security WG) > actually has a lot of synergy with the yet-to-be-proposed WS-Security > WG. It relieves us - the WS-Arch group of the daily trifles and the > urgency of defining a short term deliverable (to plug the leaks - > literally !) and it frees the SOAP Security WG of defining an all > encompassing comprehensive security architecture. The best of both > worlds ! > > cheers > >
Received on Thursday, 20 June 2002 14:45:52 UTC