OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: IDMEF/IODEF


At the risk of putting words in Bob's mouth, I believe he was making a
distinction between securely transporting arbitrary XML-encoded objects over
various protocols, (which we are not doing) and conveying security-related
information in XML and transporting it over various protocols (which we
are).

A signed purchase order in XML would be an example of the former. A XML
document identifying an individual as an authorized purchasing agent would
be an example of the latter.

Hal

> -----Original Message-----
> From: Mishra, Prateek [mailto:pmishra@netegrity.com]
> Sent: Monday, January 22, 2001 12:12 PM
> To: 'RL 'Bob' Morgan'; Eve L. Maler
> Cc: security-services@lists.oasis-open.org
> Subject: RE: IDMEF/IODEF
> 
> 
> Bob,
> 
> One of the goals of the S2ML spec. was to provide
> a number of bindings for interactions based
> on a number of standard protocols. This has been
> called out in Section 6, Bindings to Messaging and 
> Transport Protocols.
> 
> Clearly, the breadth of this section needs to be
> scoped with some care (How many protocols?) and
> the Use-Cases and Requirements work should provide
> additional guidance in this direction.
> 
> I am puzzled tho' by your thought that this might
> be completely out of scope for this group. 
> Consider HTTP, for example, How should S2ML assertions
> be embedded within HTTP flows? What about consideration
> of the case when the client is limited to a browser?
> Without this information, I dont see how inter-operability
> between "security zones" is supported by S2ML or any
> succssor specification.
> 
> - prateek 
> 
> 
> > Obviously there are a substantial number of standardization 
> > efforts going
> > on in more or less the same space as ours, namely XML-formatted data
> > objects transfered via any of several transports (HTTP, SMTP, 
> > BEEP, etc).
> > One might observe that each of these is approaching security 
> > in its own
> > way (or not at all) and conclude that it would be a useful 
> goal of our
> > work to provide XML-based security services for the generic 
> > XML-over-foo
> > protocol.  I expect, though, that participants in this TC 
> > would agree that
> > that is *not* what we're trying to do.  Yes?  If so we might 
> > want to state
> > this as an explicit non-goal in our charter (and no I don't 
> > have precise
> > wording at the moment) since I suspect this could be a 
> likely point of
> > confusion, especially given the name of the group.
> > 
> >  - RL "Bob"
> > 
> > 
> 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC