[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-jc] Secure
Phil, Thanks for your comments. Couple of points : a) Haven't asked anyone to comment on a presentation, yet. I myself haven't started on one ! Once I have the first cut, I plan to work with the JC as I value the input and participation of the folks. b) I will rework the secure proposal with your, Carlisle's and other comments. Point well taken on the observation that we should talk about security standards as applied to e-business. Looks like we would end up with similar but distinct presentations for the OASIS Forum and the secure conference. c) I am not sure the notion of "an agreed security vocabulary of common terms and their definitions." across TCs is required or even warranted. Like you pointed out different TCs can have different interpretation of the same term. The term signature is one - another example is the concept of non-repudiation which might be different for election mark-up TC to Legal XML to ebXML and rightfully so. The best we can do is to gather up all such definitions and interpretations and put them in a common place - like the OASIS Registry - without any attempt to reconcile them. In this context the security JC can conceptualize and evangelize across the TCs to do so - the TCs themselves can decide if they wish to contribute to and refer to this common glossary pool. And finally if we all feel that a common glossary is required, we should start a Glossary TC. cheers -----Original Message----- From: Phillip H. Griffin [mailto:phil.griffin@asn-1.com] Sent: Thursday, January 23, 2003 2:18 PM To: Carlisle Adams Cc: 'dee schur'; ksankar@cisco.com; security-jc@lists.oasis-open.org; 'Karl F. Best'; 'patrick gannon'; 'Carol Geyer' Subject: Re: [security-jc] Secure Carlisle, Krishna writes in the January 8, 2003 SJC minutes of a "Conceptual Model being developed by TAB", that is related to the "three projects proposed (vocabulary, common artifacts and framework)" that the TAB believes the SJC might conceptualize, but should not develop. I asked "If the SJC would be involved in this work or at least a review of the work and requested that more information be provided". Krishna noted that there was "a security box in the model" and that the model would be the basis of his "OASIS Forum presentation". This may be the block he spoke of below. But, I think that it is very difficult for the SJC to comment on the proposed presentation without at least a basic understanding of the underlying model that the presentation is based on. Problems I see with the blurb below are the mixing of "security standards" and "web services security standards". The former is rather general, and the later more specific. Perhaps the pitch should be how OASIS web services security standards will leverage and incorporate existing OASIS security standards (SAML, XACML, XCBF, DSS, Rights, etc.), and how other OASIS work (ebXML, UBL, etc.) can leverage OASIS WSS efforts. This is back to the old showcase idea - old news maybe. As to the Conceptual Model itself, I am puzzled how it could involve OASIS security standards, yet ignore the human resources available in the SJC. And I wonder how such work could be undertaken without at least an agreed security vocabulary of common terms and their definitions. Just putting together the example SJC security vocabulary document from the existing OASIS works reveals that there is much disagreement in the use of the most basic security terms within the various TCs. And these are in many cases still evolving. Just for example, the definition of a WSS digital signature is roughly "a cryptographic binding between a proof-of-possession (authentication data) and a digest". This is not particularly close to what digital signature means in several other OASIS security standard contexts. Phil Carlisle Adams wrote: Hi all, Dee, you asked for comments, so here are mine... Krishna's abstract (below) sounds fine, but I'm not totally sold on it. (Sorry Krishna! :-) - "How do they fit the OASIS conceptual model?" Is there an OASIS conceptual model for its security standards? I had this impression that this was still being thought about (and worked on, or at least encouraged, by the SJC). - "How will the landscape change in 6 months or a year?" Who can really know this? What IBM and Microsoft will do with their specs in this area is unknown -- not only whether/when/where they will submit them for standardization, but also what future specs in their WS-* suite might show up and when. Any discussion along these lines is little more than idle speculation at this point (and is likely to be completely unhelpful to the audience). Given that this is an "E-Business Executive Summit", I think a panel focusing on things that are more concrete and relevant to e-business would be of value. How do the existing security standards solve actual problems or meet actual requirements in an e-business world? Not just abstract use cases, but architectural guidance showing how real-world needs can be met by the security standards available today. What additional problems are the emerging standards (those still in progress) intended to address? What is still missing; how critical are those pieces; and is there a projected time frame for such work to begin? Audience feedback and participation on these sorts of questions should make for a lively and interesting panel. Carlisle. -----Original Message----- From: dee schur [mailto:dee.schur@oasis-open.org] Sent: Tuesday, January 21, 2003 2:51 PM To: ksankar@cisco.com; security-jc@lists.oasis-open.org Cc: 'Karl F. Best'; 'patrick gannon'; 'Carol Geyer' Subject: RE: [security-jc] Secure Hi, The concall is this Friday, 24 Jan, so I would greatly appreciate feedback and participation commitments. Best to all, Dee -----Original Message----- From: Krishna Sankar [mailto:ksankar@cisco.com] Sent: Thursday, January 16, 2003 5:35 PM To: 'dee schur'; security-jc@lists.oasis-open.org Cc: 'Karl F. Best'; 'patrick gannon'; 'Carol Geyer' Subject: RE: [security-jc] Secure Folks, Here is the abstract for the OASIS forum. Would appreciate feedback and participation. Security Panel: Security is in the forefront of everybody's mind especially when connecting heterogeneous systems across the internet by applying the web services paradigms. This panel would explore the short term and long term future of web services security standards. Questions like - what are the security standards available now ? How do they fit the OASIS conceptual model ? How will this landscape change within the next 6 months ? next 1 year ? What are the requirements from the user community ? and finally what are the gaps? - would be discussed and debated. The session is planned to be interactive and the audience is encouraged to submit their questions and comments to the panel - before or during the session. Panelists: Chanliau, Marc Eve L. Maler Tim Moses Rich Salz Agenda : 20 Min State of the Union Presentation 40 Min Discussion Cheers > -----Original Message----- > From: dee schur [mailto:dee.schur@oasis-open.org] > Sent: Thursday, January 16, 2003 2:08 PM > To: ksankar@cisco.com; security-jc@lists.oasis-open.org > Cc: 'Karl F. Best'; 'patrick gannon'; 'Carol Geyer' > Subject: RE: [security-jc] Secure > > > Krishna, > This is terrific news! So far we have Darran Rolls, Carlisle Adams and > Prateek Mishra. Patrick will be on a concall with the AB of > Secure eBiz > on 24 Jan, I can fill you in after that meeting. Until then, > would it be > possible to pull together a brief abstract for the Security panel? > Thanks! > dee > > -----Original Message----- > From: Krishna Sankar [mailto:ksankar@cisco.com] > Sent: Tuesday, January 14, 2003 3:15 PM > To: 'dee schur'; security-jc@lists.oasis-open.org > Cc: 'Karl F. Best'; 'patrick gannon'; 'Carol Geyer' > Subject: RE: [security-jc] Secure > > > Dee, > > I am willing to attempt this, modeled after the security panel I > am leading at the OASIS Forum at Santa Clara. Most probably this would > have more time (> 60 min) and also could include panelists > from the east > coast as well as other participants at the secure conference > like John - > chair of eGov. > > cheers > > > -----Original Message----- > > From: dee schur [mailto:dee.schur@oasis-open.org] > > Sent: Tuesday, January 14, 2003 9:55 AM > > To: security-jc@lists.oasis-open.org > > Cc: Karl F. Best; patrick gannon; Carol Geyer > > Subject: [security-jc] Secure > > > > > > > > Hello, > > We are co-sponsoring the Secure E-Business Executive Summit in > > Washington, DC on 1-2 April, http://www.secure-biz.net/. I > > would like to > > suggest an OASIS Security panel but before I could do that, I > > would need > > to know if any of you are willing/able to attend, participate > > and assume > > the chair position for the panel. Once we have a loose > panel set up, I > > will take the proposal to the Advisory Board on 25 January. > > I think this is a good way to participate in the e-Gov > > initiatives also. > > Let me know what you think? > > > > Thanks, > > Dee Schur > > Marketing Support > > OASIS > > dee.schur@oasis-open.org > > > > OASIS http://www.oasis-open.org > > XML.ORG http://xml.org > > XML Cover Pages http://xml.coverpages.org > > ebXML http://www.ebXML.org > > CGM Open http://www.cgmopen.org > > LegalXML http://www.legalxml.org > > UDDI http://www.uddi.org > > PKI http://www.pkiforum.org/ > > > > > > ---------------------------------------------------------------- > > To subscribe or unsubscribe from this elist use the subscription > > manager: <http://lists.oasis-open.org/ob/adm.pl> > > > > > ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC