- From: Hallam-Baker, Phillip <pbaker@verisign.com>
- Date: Thu, 7 Mar 2002 11:26:12 -0800
- To: "'Blair Dillaway'" <blaird@microsoft.com>, "Hallam-Baker, Phillip" <pbaker@verisign.com>, www-xkms@w3.org
- Message-ID: <2F3EC696EAEED311BB2D009027C3F4F4058699DC@vhqpostal.verisign.com>
> > 8. Use XML Encrypt for encrypting the private key > > > > Outstanding Issues > > > > [I-PayloadAuth] > > Require decision on how payload authentication is to be > > handled, in particular whether by a SOAP header or a > > signature within the Request packet. > > What type of authentication do we think is necessary here? Is this a > POP using the private key, demonstrating knowledge of an out-of-band > secret using a keyed mac, some external auth mechanism like > Passport or > Liberty? Since other folks are solving the general SOAP security > problem we should define one mechanism that is minimally acceptable. > I'm pretty sure this won't involve support for external authentication > systems. > > Use of a header may be easier for implementors. If authentication is > required and the header is missing you can stop processing without > parsing through the body. You also eliminate the need to > transform the > body element when the authentication is added. I agree that the ws-security draft appears to meet our needs, the problem is that ws-security is not in standards process anywhere so we cannot make a normative reference to it. Although I believe that the problem is tightly constrained enough that it is unlikely that the Integrity or confidentiality parts of the spec are going to be controvertial. Credentials is likely to be more of a challenge, particularly as it would connect to ws-license, SAML etc and give lots of scope for interaction. I would very much like to avoid 1) bodging the XKMS schema unnecessarily and 2) duplicating the work in ws-security. Phill
Attachments
- application/octet-stream attachment: Phillip_Hallam-Baker__E-mail_.vcf
Received on Thursday, 7 March 2002 14:25:35 UTC