[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-jc] Secure
Phil,
Thanks for your comments. Couple of points :
a) Haven't asked anyone to comment on a presentation, yet.
I myself haven't started on one ! Once I have the first cut, I plan to
work with the JC as I value the input and participation of the folks.
b) I will rework the secure proposal with your, Carlisle's
and other comments. Point well taken on the observation that we should
talk about security standards as applied to e-business. Looks like we
would end up with similar but distinct presentations for the OASIS Forum
and the secure conference.
c) I am not sure the notion of "an agreed security
vocabulary of common terms and their definitions." across TCs is
required or even warranted. Like you pointed out different TCs can have
different interpretation of the same term. The term signature is one -
another example is the concept of non-repudiation which might be
different for election mark-up TC to Legal XML to ebXML and rightfully
so. The best we can do is to gather up all such definitions and
interpretations and put them in a common place - like the OASIS Registry
- without any attempt to reconcile them. In this context the security JC
can conceptualize and evangelize across the TCs to do so - the TCs
themselves can decide if they wish to contribute to and refer to this
common glossary pool. And finally if we all feel that a common glossary
is required, we should start a Glossary TC.
cheers
-----Original Message-----
From: Phillip H. Griffin [mailto:phil.griffin@asn-1.com]
Sent: Thursday, January 23, 2003 2:18 PM
To: Carlisle Adams
Cc: 'dee schur'; ksankar@cisco.com; security-jc@lists.oasis-open.org;
'Karl F. Best'; 'patrick gannon'; 'Carol Geyer'
Subject: Re: [security-jc] Secure
Carlisle,
Krishna writes in the January 8, 2003 SJC minutes of a "Conceptual
Model being developed by TAB", that is related to the "three projects
proposed (vocabulary, common artifacts and framework)" that the TAB
believes the SJC might conceptualize, but should not develop.
I asked "If the SJC would be involved in this work or at least a review
of the work and requested that more information be provided". Krishna
noted that there was "a security box in the model" and that the model
would be the basis of his "OASIS Forum presentation". This may be
the block he spoke of below.
But, I think that it is very difficult for the SJC to comment on the
proposed
presentation without at least a basic understanding of the underlying
model
that the presentation is based on. Problems I see with the blurb below
are
the mixing of "security standards" and "web services security
standards".
The former is rather general, and the later more specific. Perhaps the
pitch
should be how OASIS web services security standards will leverage and
incorporate existing OASIS security standards (SAML, XACML, XCBF,
DSS, Rights, etc.), and how other OASIS work (ebXML, UBL, etc.) can
leverage OASIS WSS efforts. This is back to the old showcase idea - old
news maybe.
As to the Conceptual Model itself, I am puzzled how it could involve
OASIS
security standards, yet ignore the human resources available in the SJC.
And
I wonder how such work could be undertaken without at least an agreed
security vocabulary of common terms and their definitions.
Just putting together the example SJC security vocabulary document from
the
existing OASIS works reveals that there is much disagreement in the use
of
the most basic security terms within the various TCs. And these are in
many
cases still evolving.
Just for example, the definition of a WSS digital signature is roughly
"a
cryptographic binding between a proof-of-possession (authentication
data)
and a digest". This is not particularly close to what digital signature
means in
several other OASIS security standard contexts.
Phil
Carlisle Adams wrote:
Hi all,
Dee, you asked for comments, so here are mine...
Krishna's abstract (below) sounds fine, but I'm not totally sold on it.
(Sorry Krishna! :-)
- "How do they fit the OASIS conceptual model?" Is there an OASIS
conceptual model for its security standards? I had this impression that
this was still being thought about (and worked on, or at least
encouraged, by the SJC).
- "How will the landscape change in 6 months or a year?" Who can
really know this? What IBM and Microsoft will do with their specs in
this area is unknown -- not only whether/when/where they will submit
them for standardization, but also what future specs in their WS-* suite
might show up and when. Any discussion along these lines is little more
than idle speculation at this point (and is likely to be completely
unhelpful to the audience).
Given that this is an "E-Business Executive Summit", I think a panel
focusing on things that are more concrete and relevant to e-business
would be of value. How do the existing security standards solve actual
problems or meet actual requirements in an e-business world? Not just
abstract use cases, but architectural guidance showing how real-world
needs can be met by the security standards available today. What
additional problems are the emerging standards (those still in progress)
intended to address? What is still missing; how critical are those
pieces; and is there a projected time frame for such work to begin?
Audience feedback and participation on these sorts of questions should
make for a lively and interesting panel.
Carlisle.
-----Original Message-----
From: dee schur [mailto:dee.schur@oasis-open.org]
Sent: Tuesday, January 21, 2003 2:51 PM
To: ksankar@cisco.com; security-jc@lists.oasis-open.org
Cc: 'Karl F. Best'; 'patrick gannon'; 'Carol Geyer'
Subject: RE: [security-jc] Secure
Hi,
The concall is this Friday, 24 Jan, so I would greatly appreciate
feedback and participation commitments.
Best to all,
Dee
-----Original Message-----
From: Krishna Sankar [mailto:ksankar@cisco.com]
Sent: Thursday, January 16, 2003 5:35 PM
To: 'dee schur'; security-jc@lists.oasis-open.org
Cc: 'Karl F. Best'; 'patrick gannon'; 'Carol Geyer'
Subject: RE: [security-jc] Secure
Folks,
Here is the abstract for the OASIS forum. Would appreciate
feedback and participation.
Security Panel:
Security is in the forefront of everybody's mind especially when
connecting heterogeneous systems across the internet by applying the web
services paradigms. This panel would explore the short term and long
term future of web services security standards. Questions like - what
are the security standards available now ? How do they fit the OASIS
conceptual model ? How will this landscape change within the next 6
months ? next 1 year ? What are the requirements from the user community
? and finally what are the gaps? - would be discussed and debated. The
session is planned to be interactive and the audience is encouraged to
submit their questions and comments to the panel - before or during the
session.
Panelists:
Chanliau, Marc
Eve L. Maler
Tim Moses
Rich Salz
Agenda :
20 Min State of the Union Presentation
40 Min Discussion
Cheers
> -----Original Message-----
> From: dee schur [mailto:dee.schur@oasis-open.org]
> Sent: Thursday, January 16, 2003 2:08 PM
> To: ksankar@cisco.com; security-jc@lists.oasis-open.org
> Cc: 'Karl F. Best'; 'patrick gannon'; 'Carol Geyer'
> Subject: RE: [security-jc] Secure
>
>
> Krishna,
> This is terrific news! So far we have Darran Rolls, Carlisle Adams and
> Prateek Mishra. Patrick will be on a concall with the AB of
> Secure eBiz
> on 24 Jan, I can fill you in after that meeting. Until then,
> would it be
> possible to pull together a brief abstract for the Security panel?
> Thanks!
> dee
>
> -----Original Message-----
> From: Krishna Sankar [mailto:ksankar@cisco.com]
> Sent: Tuesday, January 14, 2003 3:15 PM
> To: 'dee schur'; security-jc@lists.oasis-open.org
> Cc: 'Karl F. Best'; 'patrick gannon'; 'Carol Geyer'
> Subject: RE: [security-jc] Secure
>
>
> Dee,
>
> I am willing to attempt this, modeled after the security panel I
> am leading at the OASIS Forum at Santa Clara. Most probably this would
> have more time (> 60 min) and also could include panelists
> from the east
> coast as well as other participants at the secure conference
> like John -
> chair of eGov.
>
> cheers
>
> > -----Original Message-----
> > From: dee schur [mailto:dee.schur@oasis-open.org]
> > Sent: Tuesday, January 14, 2003 9:55 AM
> > To: security-jc@lists.oasis-open.org
> > Cc: Karl F. Best; patrick gannon; Carol Geyer
> > Subject: [security-jc] Secure
> >
> >
> >
> > Hello,
> > We are co-sponsoring the Secure E-Business Executive Summit in
> > Washington, DC on 1-2 April, http://www.secure-biz.net/. I
> > would like to
> > suggest an OASIS Security panel but before I could do that, I
> > would need
> > to know if any of you are willing/able to attend, participate
> > and assume
> > the chair position for the panel. Once we have a loose
> panel set up, I
> > will take the proposal to the Advisory Board on 25 January.
> > I think this is a good way to participate in the e-Gov
> > initiatives also.
> > Let me know what you think?
> >
> > Thanks,
> > Dee Schur
> > Marketing Support
> > OASIS
> > dee.schur@oasis-open.org
> >
> > OASIS http://www.oasis-open.org
> > XML.ORG http://xml.org
> > XML Cover Pages http://xml.coverpages.org
> > ebXML http://www.ebXML.org
> > CGM Open http://www.cgmopen.org
> > LegalXML http://www.legalxml.org
> > UDDI http://www.uddi.org
> > PKI http://www.pkiforum.org/
> >
> >
> > ----------------------------------------------------------------
> > To subscribe or unsubscribe from this elist use the subscription
> > manager: <http://lists.oasis-open.org/ob/adm.pl>
> >
>
>
>
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC