RE: WSS

[Stephen.Flinter@connectcgs.com]

Attached is a mail from Steve Anderson, who is one of the officers on the
WSS OASIS TC.

---------------------------------------------
Stephen Flinter
Connect Global Solutions
[t] +353 (0)1 882 9038
[f] +353 (0)1 882 9050
[m] +353 87 798 1228
[e] stephen.flinter@connectcgs.com
[w] www.connectcgs.com
--------------------------------------------
----- Forwarded by Stephen Flinter/Connect on 18/09/2003 11:37 -----
                                                                                                                                              
                      "Steve Anderson"                                                                                                        
                      <sanderson@openne        To:       <Stephen.Flinter@connectcgs.com>, <klawrenc@us.ibm.com>, <ckaler@microsoft.com>      
                      twork.com>               cc:                                                                                            
                                               Subject:  RE: WSS                                                                              
                      16/09/2003 15:54                                                                                                        
                                                                                                                                              
                                                                                                                                              




I am involved in both the WSS TC and the SS TC (responsible for producing
SAML), so I'll chime in here.

Not being familiar with the work of your TC, I'll just take your statements
about what you need at face value.  Looks like you need to "secure" web
service communications between a client and a provider.  Fair enough.  That
is just what WSS aims to do.  It describes how to apply XML Signature and
XML Encryption to SOAP messages, and how to bind security tokens to those
messages.  In some ways, it does at the message layer what SSL does at the
transport layer.

Security tokens may express identity information, attribute information,
authorization information, etc.  SAML is one form of security token in this
context, as are X.509 certificates, Kerberos tickets, username/password
combinations, XrML licenses, and more that could be defined.  So I wouldn't
go so far as to say that BOTH WSS and SAML are required for your situation,
but rather WSS and some set of (1 or more) token types (and that is still
assuming you want to apply security at the message layer).

As for WSS vs. WS-Security, some will focus on the distinctions and some
won't.  There was a document, WS-Security, that was written by
Microsoft/IBM/VeriSign that lead to the formation of this WSS TC.  We are
making changes to the work from that document and producing a set of WSS-*
documents, which will ultimately be designated as an OASIS standard.

Hope this helps.
--
Steve


-----Original Message-----
From: Stephen.Flinter@connectcgs.com
[mailto:Stephen.Flinter@connectcgs.com]
Sent: Tuesday, September 16, 2003 8:01 AM
To: klawrenc@us.ibm.com; ckaler@microsoft.com; Steve Anderson
Subject: WSS






All,

I am contacting you on behalf of the Translation-WS OASIS group
(http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=trans-ws)
regarding security.

Currently we're examining the various options we have for securing the web
service communication between the client and the service provider.  I have
been in touch with Eve Maler of the SAML group, and she suggested that I
get in touch with your group also.