Re: [wss] More on SOAP version

[Rich Salz <rsalz@datapower.com>]

> What is your incomplete comment " Cf the "workshops" for WS-RM, etc." ?

I'm not quite sure what you're asking.  Oh, perhaps you were confused by
my mistake:  I incorrectly used "Cf" when I should have used "E.g.,";
I didn't realize that Cf was limited to same-document referrals.

But no, that's probably not what you meant.

Looking closer, that whole section:

> ... by moving slowly to 1.2 Ws-Security could be
> seen as encouraging a non-standards body process.  Cf the "workshops"
> for WS-RM, etc.

could have been more clear.  I wrote it that way because I thought
it "obvious enough" to most members of this TC -- they aren't
standards naifs, and would rather avoid standards politics.  But I
guess you're calling me out.  Or, as they'd do it in the westerns,
you push back your chair, walk up to me and stare, squinty eyed,
and say "what exactly do you mean by that, pardner?"  (There's a
"bad guys are men in black" joke that I'll leave for someone else. :)

Okay, then.  I'll be very explicit.

There are a number of things happening in the area of Web Services
standards today that might give any reasonable person pause:
    WS-ReliableMessaging is not in any standards body; the recent
    interop workshop is sealed by NDA, and legal papers must
    be signed before anyone can join the mailing list hosted at
    yahoogroups.  (Not the OASIS TC of the same name.)

    WS-I "started running with" WS-Security before the first public
    commit period was closed.

    The Gates/Mills demo last month showcased proprietary
    specifications, spin notwithstanding.

    Multiple members of SSTC (SAML) and XACML feel that recent email
    conversations on those lists have had the very direct intent of
    "clearing the decks" of anything that might be seen as competing
    with WS-Policy and friends.

    WS-Policy, etc., have not been submitted to any standards body.
    According to my rough count, the number of proprietary WS-xxx
    specs outnumbers the number of WS-xxx standardization efforts
    by about five to one.

    The chorus of voices saying "the specs are done, let's write
    apps" -- started by Don Box last march -- is growing.

I really don't believe that everything is being
done to some master plan, the reasons for the above
items aren't all the same.  (Conspiracy theorists might
want to compare http://www.w3.org/2001/03/WSWS-popa/paper51 and
http://msdn.microsoft.com/webservices/default.aspx?pull=/library/en-us/dnwebsrv/html/wsoverview.asp )

But given the items above -- and that's just off the top of my
head -- is it any wonder that some people are concerned that if
WS-Security says "just use SOAP 1.1" it's seen as a part of a trend
to bypass the standards process?  Chorus notwithstanding, while the
specs may be done, the standards aren't. Standardization is long,
messy, involves trade-offs, and can derail existing implementation
efforts and customer deployments.  But that's the price we pay for
not having to live under anyone else's diktat.

As for the particular issue of SOAP 1.2, it's a tough one.  Until
this email, I was strongly in favor of 1.1.  I think the deployed
base is a strong argument in favor of 1.1, while the Infoset approach
and its absence from XML DSIG, C14N, and XEnc are strong arguments
against 1.2

But now I'm not so sure.  The subtext -- no matter how little it
is understood -- is important. I just lost my voting membership
(not enough time; we're a startup, and I've got code to write), but
had I not, I'd vote to hold this spec up for months, if necessary,
to make sure we were doing the right thing.

        /r$

--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html