W3C home > Mailing lists > Public > www-xkms@w3.org > March 2002

RE: Proposed spec changes

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Thu, 7 Mar 2002 11:26:12 -0800
Message-ID: <2F3EC696EAEED311BB2D009027C3F4F4058699DC@vhqpostal.verisign.com>
To: "'Blair Dillaway'" <blaird@microsoft.com>, "Hallam-Baker, Phillip" <pbaker@verisign.com>, www-xkms@w3.org
> > 8. Use XML Encrypt for encrypting the private key
> > 
> > Outstanding Issues
> > 
> > [I-PayloadAuth]
> > 	Require decision on how payload authentication is to be 
> > handled, in particular whether by a SOAP header or a 
> > signature within the Request packet.
> 
> What type of authentication do we think is necessary here?  Is this a
> POP using the private key, demonstrating knowledge of an out-of-band
> secret using a keyed mac, some external auth mechanism like 
> Passport or
> Liberty?  Since other folks are solving the general SOAP security
> problem we should define one mechanism that is minimally acceptable.
> I'm pretty sure this won't involve support for external authentication
> systems.
> 
> Use of a header may be easier for implementors.  If authentication is
> required and the header is missing you can stop processing without
> parsing through the body.  You also eliminate the need to 
> transform the
> body element when the authentication is added.

I agree that the ws-security draft appears to meet our needs, the problem is
that ws-security is not in standards process anywhere so we cannot make a
normative reference to it. Although I believe that the problem is tightly
constrained enough that it is unlikely that the Integrity or confidentiality
parts of the spec are going to be controvertial.

Credentials is likely to be more of a challenge, particularly as it would
connect to ws-license, SAML etc and give lots of scope for interaction.

I would very much like to avoid 1) bodging the XKMS schema unnecessarily and
2) duplicating the work in ws-security.


		Phill




Received on Thursday, 7 March 2002 14:25:35 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:38 UTC