[wsrp] draft security profile questions

[Rich Thompson <richt2@us.ibm.com>]

Please provide feedback on the questions
we want to use for contacting our various security teams about the possibility
of building one or two simple security profiles for use while waiting for
standardized policy frameworks to emerge. Hopefully we can agree on a short
set of questions over the next week such that the gathering of input can
begin shortly after that.

----------------------- draft starts
below --------------------

Considering the number of customer requests
for interoperable security profiles and the lack of a standardized policy
framework for negotiating a security profile to use for WSRP-related messages,
the WSRP TC is seeking input about whether simple interoperable profiles
could be defined. In particular, which of the following items is expected
to be supported in the mid-2006 timeframe:

1. Transferring a Consumer identity via SSL/TLS, an End-User identity via a WS-Security token and exposing both to applications.
2. Transferring a Consumer identity via a digital signature, an End-User identity via a WS-Security token and exposing both to applications.
3. Which WS-Security tokens do you expect to be supporting?
4. If SAML is supported, what user attributes will be supported?
5. Is support for maintaining security contexts for multiple web service requests anticipated? If so, using what technology?
6. Is automated configuration supported? If so, are any particular inputs to the process required?