OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [security-services] FW: SOAP Confidentiality and Integrity: N extStep?


Now I am sorry I made what was somewhat of an off hand message. I am very enthusiastic about this decision and did not mean to suggest any criticism of the W3C. I was simply trying to underline the notion that we are not likely to get competing efforts to create the same specification.
 
Having already been publically critical of eWeek's coverage of SAML and WS-Security it seems in retrospect, foolishly inconsistent to have cited their dubious editorial slant on this annonucement.
 
I think there is lots of work to be done here. The Web Services Security Roadmap sets out an ambitious vision and we can use as many knowledgeable people as possible working on all aspects of the problem. I welcome the opportunity for security efforts to be coordinated both within OASIS via the Security JC and between OASIS and the W3C.
 
Memories are short, but when SAML was begun, there was a distinct possibility of the authorization community being split into distinct camps around competing standards. That this did not happen is a tribute to the organizations who participated in SAML. They correctly judged that agreement on a single standard was not only the only sensible technical solution, but the one that would better serve their own business interests than any short term proprietary advantage.
 
Another article, here:
 
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2872547,00.html
 
by Eric Knorr of ZDNet reports:
 
Just as important as the players involved, however, is the decision by Microsoft, IBM, and VeriSign to ensure WS-Security will be royalty-free. Explicitly, no party will be able to collect licensing fees from the use of WS-Security, a stipulation that Smith told me was a prerequisite for Sun's participation. He believes the proposed royalty-free license is "sufficient in all regards. Had they not done that, we would not have participated." 
 
 I don't quite see how they expect to enforce this on others, but if it is true that MS, IBM, VeriSign and Sun have taken this pledge (and I am confident HP is on board as well) then it is hard to imagine some other company with a blocking patent taking a hard line. This could have a significant impact on the Rights Language TC and XACML.
 
Hal
 -----Original Message-----
From: blakley@us.ibm.com [mailto:blakley@us.ibm.com]
Sent: Thursday, June 27, 2002 6:18 PM
To: Hal Lockhart
Cc: 'Hallam-Baker, Phillip'; RL 'Bob' Morgan; OASIS Security Services TC
Subject: RE: [security-services] FW: SOAP Confidentiality and Integrity: N ext Step?

I don't attend W3C and don't work on security standards there. I also don't know Eric.
It may be true that the W3C Web Services Architecture Group has been trying to create
a security group for some time, but even if that is true, it hasn't got anything to do with our
decision to submit WS-Security to OASIS; that decision was made on its own merits.

--bob

Bob Blakley (email: blakley@us.ibm.com phone: +1 512 286-2240 fax: +1 512 286-2057)
Chief Scientist, Security and Privacy, IBM Tivoli Software

To: George Robert Blakley III/Austin/IBM@IBMUS
cc: "'Hallam-Baker, Phillip'" <pbaker@verisign.com>, "RL 'Bob' Morgan" <rlmorgan@washington.edu>, OASIS Security Services TC <security-services@lists.oasis-open.org>
Subject: RE: [security-services] FW: SOAP Confidentiality and Integrity: N ext Step?




Ok, Bob you caught me. I looked it up and the quote was in an eWeek article here:
 


http://www.eweek.com/article2/0,3959,290627,00.asp

 

The quote I was referring to was:


Eric Newcomer, chief technology officer of Iona Technologies Inc., in Waltham, Mass., and a founding member of the working group that will handle the WS-Security standards effort within OASIS, said from his perspective IBM and Microsoft grew "impatient" with the efforts of the Worldwide Web Consortium (W3C) to deliver a standard around security and Web services.

Newcomer, a member of the W3C Web Services Architecture Working Group, said the group has been trying to create a security working group at the W3C to no avail. "It's hard to do," he said.

However, "I'd say it's a good choice," Newcomer said of the decision to push the standard through OASIS. "They have a good track record" delivering standards, he said.

What I said was:

Actually the Yahoo news article has  a long quote about how they wanted to go to W3C but were rebuffed. So I think that particular bridge is fairly well burnt.


I stand by that. I did not say:

submitted WS-Security to W3C

You did.

However, this all is a distraction form the main point. Which was what I said about the Security JC, which I think all of a sudden will not be a waste of time as I feared.

Hal
-----Original Message-----
From: blakley@us.ibm.com [mailto:blakley@us.ibm.com]
Sent: Thursday, June 27, 2002 6:03 PM
To: Hal Lockhart
Cc: 'Hallam-Baker, Phillip'; RL 'Bob' Morgan; OASIS Security Services TC
Subject: RE: [security-services] FW: SOAP Confidentiality and Integrity: N ext Step?


Hmmm? Which Yahoo news article? I didn't see that quote.

In any event, it is not true that we submitted WS-Security to W3C and it is not true that we were rebuffed.
I know of no reason to believe that any bridge is burnt.

--bob

Bob Blakley (email: blakley@us.ibm.com phone: +1 512 286-2240 fax: +1 512 286-2057)
Chief Scientist, Security and Privacy, IBM Tivoli Software

To: "'Hallam-Baker, Phillip'" <pbaker@verisign.com>, "RL 'Bob' Morgan" <rlmorgan@washington.edu>, OASIS Security Services TC <security-services@lists.oasis-open.org>
cc:
Subject: RE: [security-services] FW: SOAP Confidentiality and Integrity: N ext Step?





Actually the Yahoo news article has  a long quote about how they wanted to go to W3C but were rebuffed. So I think that particular bridge is fairly well burnt.

One thing a lot of people haven't realized yet is that the new TC will have to liaison with the Security JC. So we will have a pretty good forum for achieving cooperation amongst the several Security TCs. If they had gone to W3C, we would have had to try to establish liaison with each TC individually, if at all.

Hal

> -----Original Message-----
> From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com]
> Sent: Thursday, June 27, 2002 1:15 PM
> To: RL 'Bob' Morgan; OASIS Security Services TC
> Subject: RE: [security-services] FW: SOAP Confidentiality and
> Integrity:
> N ext Step?
>
>
> No, I don't think we can say that. However the chances
> of the W3C membership approving a direct competitor to
> WS-Security are negligible.
>
>               Phill
>
> > -----Original Message-----
> > From: RL 'Bob' Morgan [mailto:rlmorgan@washington.edu]
> > Sent: Thursday, June 27, 2002 12:41 PM
> > To: OASIS Security Services TC
> > Subject: Re: [security-services] FW: SOAP Confidentiality and
> > Integrity:
> > Next Step?
> >
> >
> >
> > Does the submission of the WS-Security specs to OASIS (and
> the meeting
> > announced by Phill) mean that there will *not* be a "web services
> > security" activity chartered within the W3C?
> >
> >  - RL "Bob"
> >
> > ---
> >
> > > -----Original Message-----
> > > From: Joseph Reagle [mailto:reagle@w3.org]
> > > Sent: Tuesday, June 18, 2002 1:24 PM
> > > To: www-ws-arch@w3.org
> > > Cc: xml-encryption@w3.org; 3.org@w3.org; www-xkms@w3.org
> > > Subject: SOAP Confidentiality and Integrity: Next Step?
> > >
> > >
> > >
> > >
> > > This email is a final step in a thread in how to start work
> > on providing
> > > confidentiality and integrity for SOAP messages. I've
> > discused a range of
> > > security issues [1] with a conclusion that this topic
> > (soap+xmldsig+xenc)
> > > is most pressing; however, I was not able to find agreement
> > that this issue
> > > should be shoe-horned into an existing WG, instead it
> > should be part of the
> > > Web Services security. [2]
> > >
> > > Though I'm relatively ignorant of the ws-arch discussions,
> > I've heard the
> > > ws-arch WG is considering this issue and will try to have charters
> > > available for work in July [3], but that the immediate
> > issue might also be
> > > delayed be consideration of the bigger issues.
> > Consequently, I'd recommend
> > > that a charter for work in the WS Activity be specified
> > with a scope no
> > > larger than [4] -- and potentially more narrow (e.g.,
> > without tokens). A
> > > "web services security" community does not yet exist (or it
> > does, but it's
> > > fragmented) and starting work on this immediately not only
> > commences with
> > > the work, but helps build a community which then can
> > contribute to the
> > > larger discussion. For instance, because standardized
> > security components
> > > do not yet exist, specifications such as XKMS [5] may end
> > up specifying
> > > "one-off" versions in the short term. However, these could
> > be contributed
> > > to the WS work. We all know somebody who knows somebody who
> > is in the other
> > > WG, but sometimes that isn't quite enough. <smile/>
> > >
> > > In conclusion, I advocate a charter with specific and
> > immediate terms, and
> > > an active recruitment of participants. Please let me know
> > if and how events
> > > are likely to be otherwise. Thanks!
> > >
> > >
> > > [1]
> http://lists.w3.org/Archives/Member/w3c-ac-forum/2002AprJun/0022.html
> > [2]
> http://lists.w3.org/Archives/Public/www-xenc-xmlp-tf/2002Jun/0002.html
> > [3] http://www.w3.org/2002/05/28-ws-cg-irc.txt
> > [4]
> >
> http://www-106.ibm.com/developerworks/security/library/ws-secu
re/?dwzone=sec
> urity
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/
> html/ws-security.asp
> [5] http://lists.w3.org/Archives/Public/www-xkms/2002Jun/0016.html
>
>
> --
> Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
> W3C Policy Analyst                mailto:reagle@w3.org
> IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
> W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC