Re: Proposed spec changes

> > As for #4, add Service URI element:  Do you mean to all requests?  If
> > so, yes.  Should be in reply, too?  I dunno.
> 
> This is agains something that might profitably be pushed into the SOAP
> layer, although perhaps not since it would complicate the signature and we
> might well want to say that the service URI is the logical URI of the
> service, the responder can decide to accept messages originally sent
> elsewhere if it chooses.

Right, that makes sense.  I don't like putting it in the SOAP layer.  In
essence, the "service URI" is like the CPS, and that should be part of
the request and/or response.

> It is a bit more than that since we could have a detached sig in our request
> message or define a SOAP header.
> 
> I much prefer using a SOAP header, it is a much more reusable mechanism. But
> we may end up implementing ws-security that route.

Yeah, because of general soap auth issues (ws-security, whatever w3c
creates, etc), I prefer to allow folks to put a signature into the
request.  But from an implementation, that's harder, so overall I'm
kinda neutral.  I *DO* like the idea of having a single signed message,
for later "dispute resolution" handling.

> Are they getting anywhere? Is their current spec firm enough for us to build
> on? What timescale could we realistically expect them to deliver a spec in
> (as opposed to their alleged milestones)?

I think SOAP 1.2 is pretty much done, as far as XKMS is concerned. 
There is some flailing about for the SOAP RPC Encoding, which isn't
appropriate here, and there's some discussion of the HTTP binding, but
the action items and open issues are really hardcore nitty-gritty
things.  The group is already starting to poll for when vendors will
commit to shiping 1.2 implementations.  SOAP 1.2 be mostly-frozen (i.e.,
CR state) well before we need it to be.
	/r$
-- 
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com

Received on Wednesday, 6 March 2002 19:01:36 UTC