Re: [security-jc] Secure

["Phillip H. Griffin" <phil.griffin@asn-1.com>]

Carlisle,

Krishna writes in the January 8, 2003 SJC minutes of a "Conceptual 
Model being developed by TAB", that is related to the "three projects
proposed (vocabulary, common artifacts        and framework)" that the TAB
believes the SJC might conceptualize, but should not develop. 

I asked "If the SJC would be involved in this work or at        least a review
of the work and requested that more information be provided".  Krishna
noted that there was "a security box in the model" and that the model
would be the basis of his "OASIS Forum presentation". This may be
the block he spoke of below.

But, I think that it is very difficult for the SJC to comment on the proposed
presentation without at least a basic understanding of the underlying model
that the presentation is based on. Problems I see with the blurb below are
the mixing of  "security standards" and "web services security standards".

The former is rather general, and the later more specific. Perhaps the pitch
should be how OASIS web services security standards will leverage and
incorporate existing OASIS security standards (SAML, XACML, XCBF,
DSS, Rights, etc.), and how other OASIS work (ebXML, UBL, etc.) can
leverage OASIS WSS efforts. This is back to the old showcase idea - old
news maybe.

As to the Conceptual Model itself, I am puzzled how it could involve OASIS
security standards, yet ignore the human resources available in the SJC.
And 
I wonder how such work could be undertaken without at least an agreed 
security vocabulary of common terms and their definitions.

Just putting together the example SJC security vocabulary document from the
existing OASIS works reveals that there is much disagreement in the use of
the most basic security terms within the various TCs. And these are in many
cases still evolving. 

Just for example, the definition of a WSS digital signature is roughly "a
cryptographic binding between a proof-of-possession (authentication data)
and a digest". This is not particularly close to what digital signature means
in
several other OASIS security standard contexts.

   Phil


Carlisle Adams wrote:

Hi all,

Dee, you asked for comments, so here are mine...

Krishna's abstract (below) sounds fine, but I'm not totally sold on it.  (Sorry Krishna!  :-)

 - "How do they fit the OASIS conceptual model?"  Is there an OASIS conceptual model for its security standards?  I had this impression that this was still being thought about (and worked on, or at least encouraged, by the SJC).

 - "How will the landscape change in 6 months or a year?"  Who can really know this?  What IBM and Microsoft will do with their specs in this area is unknown -- not only whether/when/where they will submit them for standardization, but also what future specs in their WS-* suite might show up and when.  Any discussion along these lines is little more than idle speculation at this point (and is likely to be completely unhelpful to the audience).

Given that this is an "E-Business Executive Summit", I think a panel focusing on things that are more concrete and relevant to e-business would be of value.  How do the existing security standards solve actual problems or meet actual requirements in an e-business world?  Not just abstract use cases, but architectural guidance showing how real-world needs can be met by the security standards available today.  What additional problems are the emerging standards (those still in progress) intended to address?  What is still missing; how critical are those pieces; and is there a projected time frame for such work to begin?  Audience feedback and participation on these sorts of questions should make for a lively and interesting panel.

Carlisle.

-----Original Message-----
From: dee schur [mailto:dee.schur@oasis-open.org]
Sent: Tuesday, January 21, 2003 2:51 PM
To: ksankar@cisco.com; security-jc@lists.oasis-open.org
Cc: 'Karl F. Best'; 'patrick gannon'; 'Carol Geyer'
Subject: RE: [security-jc] Secure

Hi,
The concall is this Friday, 24 Jan, so I would greatly appreciate
feedback and participation commitments.
Best to all,
Dee

-----Original Message-----
From: Krishna Sankar [mailto:ksankar@cisco.com]
Sent: Thursday, January 16, 2003 5:35 PM
To: 'dee schur'; security-jc@lists.oasis-open.org
Cc: 'Karl F. Best'; 'patrick gannon'; 'Carol Geyer'
Subject: RE: [security-jc] Secure

Folks,

        Here is the abstract for the OASIS forum. Would appreciate
feedback and participation.

Security Panel:

    Security is in the forefront of everybody's mind especially when
connecting heterogeneous systems across the internet by applying the web
services paradigms. This panel would explore the short term and long
term future of web services security standards. Questions like - what
are the security standards available now ? How do they fit the OASIS
conceptual model ? How will this landscape change within the next 6
months ? next 1 year ? What are the requirements from the user community
? and finally what are the gaps? -  would be discussed and debated. The
session is planned to be interactive and the audience is encouraged to
submit their questions and comments to the panel - before or during the
session.

Panelists:

        Chanliau, Marc
        Eve L. Maler
        Tim Moses
        Rich Salz

Agenda :

        20 Min State of the Union Presentation
        40 Min Discussion

Cheers

> -----Original Message-----
> From: dee schur [mailto:dee.schur@oasis-open.org]
> Sent: Thursday, January 16, 2003 2:08 PM
> To: ksankar@cisco.com; security-jc@lists.oasis-open.org
> Cc: 'Karl F. Best'; 'patrick gannon'; 'Carol Geyer'
> Subject: RE: [security-jc] Secure
>
>
> Krishna,
> This is terrific news! So far we have Darran Rolls, Carlisle Adams and
> Prateek Mishra. Patrick will be on a concall with the AB of
> Secure eBiz
> on 24 Jan, I can fill you in after that meeting. Until then,
> would it be
> possible to pull together a brief abstract for the Security panel?
> Thanks!
> dee
>
> -----Original Message-----
> From: Krishna Sankar [mailto:ksankar@cisco.com]
> Sent: Tuesday, January 14, 2003 3:15 PM
> To: 'dee schur'; security-jc@lists.oasis-open.org
> Cc: 'Karl F. Best'; 'patrick gannon'; 'Carol Geyer'
> Subject: RE: [security-jc] Secure
>
>
> Dee,
>
>       I am willing to attempt this, modeled after the security panel I
> am leading at the OASIS Forum at Santa Clara. Most probably this would
> have more time (> 60 min) and also could include panelists
> from the east
> coast as well as other participants at the secure conference
> like John -
> chair of eGov.
>
> cheers
>
> > -----Original Message-----
> > From: dee schur [mailto:dee.schur@oasis-open.org]
> > Sent: Tuesday, January 14, 2003 9:55 AM
> > To: security-jc@lists.oasis-open.org
> > Cc: Karl F. Best; patrick gannon; Carol Geyer
> > Subject: [security-jc] Secure
> >
> >
> >
> > Hello,
> > We are co-sponsoring the Secure E-Business Executive Summit in
> > Washington, DC on 1-2 April, http://www.secure-biz.net/. I
> > would like to
> > suggest an OASIS Security panel but before I could do that, I
> > would need
> > to know if any of you are willing/able to attend, participate
> > and assume
> > the chair position for the panel. Once we have a loose
> panel set up, I
> > will take the proposal to the Advisory Board on 25 January.
> > I think this is a good way to participate in the e-Gov
> > initiatives also.
> > Let me know what you think?
> >
> > Thanks,
> > Dee Schur
> > Marketing Support
> > OASIS
> > dee.schur@oasis-open.org
> >
> > OASIS               http://www.oasis-open.org
> > XML.ORG             http://xml.org
> > XML Cover Pages     http://xml.coverpages.org
> > ebXML               http://www.ebXML.org
> > CGM Open            http://www.cgmopen.org
> > LegalXML            http://www.legalxml.org
> > UDDI                        http://www.uddi.org
> > PKI                 http://www.pkiforum.org/
> >
> >
> > ----------------------------------------------------------------
> > To subscribe or unsubscribe from this elist use the subscription
> > manager: <http://lists.oasis-open.org/ob/adm.pl>
> >
>
>
>

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>