Andrew,
Could you
expand a little on what the issue is with trust ? I just assumed users could
choose to trust the UDDI Implementation according to its certificate. Are you
talking about the trust of the UDDI information, or the trust involved in the
actual ws-security web service ?
I can’t
see why we would want to model the abstract security aspect, surely the
concrete technology used is what is needed here ?
Dave Prout
BT
From:
Andrew Hately [mailto:hately@us.ibm.com]
Sent: 07 June 2005 21:23
To: Prout,DA,Dave,XKR3 R
Cc: uddi-spec@lists.oasis-open.org
Subject: Re: [uddi-spec] Web
Services Security Scenarios - Use Case
I think what we need to dig into is what protocols and
methods, either in band or out of band, are being used to establish trust.
Once
we can determine where trust is established in each use case, we need to look
at what is persisted for each party to represent that trust (such as a key, a
keyStore, a trusted root) and that should lead to what types of queries would
be used and what would be out of band to the query to the registry. This
should also establish what roles the registry will play and what cases should
only be addressed with trusted data or trusted registry connections. It
is particularly the references to including actual credentials or keys as
opposed to storing key services or key providers that could require a different
trust model.
I
also believe we need to determine if the use cases require that we model the
abstract security aspect such as identity assertion through id/password or
model only the concrete security technology such as ws-security username token,
or that we model both abstract aspects/capabilities and the concrete technology
used.
Can
you expand on your use case to discuss some of the above?
Regards,
Andrew Hately
IBM Software Group, Emerging Technologies
<dave.prout@bt.com>
06/07/2005 06:14 AM
|
To
|
<uddi-spec@lists.oasis-open.org>
|
cc
|
|
Subject
|
[uddi-spec] Web Services Security Scenarios -
Use Case
|
|
Hi,
At the last
meeting Luc asked me to send some use cases that could inform our discussion on
how to decorate a service in UDDI with its WS-Security requirements.
The WS-I Security Challenges,
Threats and Countermeasures Version 1.0 document provides
useful background http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf
I’d
like to start off with one use case, to see if it is the sort of thing we want.
The use case
is buying something over the web in a secure way, with a confidential response.
In this case
the credit card number is signed with the sender’s private key, so they
send their public key with the request so that the receiver can validate the
signature. The credit card details must also be encrypted with the
receiver’s public key, (after being signed). The response must be
encrypted with the sender’s public key (which was sent on the request).
Please let
me know if the use case should be set out in a different way.
We can
easily extract simpler cases from this one.
Regards
Dave Prout
BT
From: Luc Clement
[mailto:luc.clement@systinet.com]
Sent: 27 May 2005 00:02
To: 'Oleg Mikulinsky'
Cc: 'Rogers, Tony'; uddi-spec@lists.oasis-open.org
Subject: [uddi-spec] RE: Request to become UDDI Specification
working group member
Welcome aboard Oleg. For the purpose of your
records, you will obtain voting rights the lesser of 3 TC meetings or the 28 July
2004.
The next TC call is at 15:30ET on 14 June.
Luc
Luc Clément | Co-Chair OASIS UDDI TC | Senior Program Manager | Systinet
Corporation |
One van de Graaff Drive Burlington, MA 01803
Phone +1 781.362.1330 | Mobile +1 978.793.2162 | Fax +1
781.362.1400 |
From: Oleg Mikulinsky
[mailto:oleg.mikulinsky@weblayers.com]
Sent: Thursday, May 26, 2005 18:52
To: Luc Clement
Cc: Rogers, Tony
Subject: RE: Request to become UDDI Specification working group
member
Luc,
I intent to join as a prospective member and obtain voting
rights per OASIS process. Look forward meeting you all (virtually). ;)
Regards,
Oleg.
From: Luc Clement
[mailto:luc.clement@systinet.com]
Sent: Thursday, May 26, 2005 6:38 PM
To: Oleg Mikulinsky
Cc: 'Rogers, Tony'
Subject: RE: Request to become UDDI Specification working group
member
Oleg,
Please read the following and reply to this
email confirming your intention to join as a Prospective Member. You should
note that as an Observer you can provide input which may satisfy your needs. If
however you intend to obtain voting rights, then you need to join as a
Prospective Member which requires you to obtain and maintain good standing.
Please take a moment to look over the membership rules (along with the
requirements to obtain and maintain good standing): Participation and
membership: http://www.oasis-open.org/committees/process.php#2.4 and termination: http://www.oasis-open.org/committees/process.php#2.5. Please also review the OASIS IPR policy (http://www.oasis-open.org/committees/process.php#2.17) – it is necessary that you fully understand the
implications of the OASIS IPR policy.
To conclude, please reply with your intention
of joining either as a prospective member or maintaining a status of observer.
We look forward to your participation.
Luc
Luc Clément | Co-Chair OASIS UDDI TC | Senior Program Manager | Systinet
Corporation |
One van de Graaff Drive Burlington, MA 01803
Phone +1 781.362.1330 | Mobile +1 978.793.2162 | Fax +1
781.362.1400 |
From: Oleg Mikulinsky
[mailto:oleg.mikulinsky@weblayers.com]
Sent: Thursday, May 26, 2005 18:13
To: Luc Clement; Rogers, Tony
Subject: Request to become UDDI Specification working group member
Gentlemen,
I
would like to join UDDI Specification group as a member.
I have
been in observer role in UDDI group for about a month now, as well as a
contributing member to the OASIS SOA-RM. group.
And I
have been reading recent thread's about describing service related policies in
UDDI with a great interest.
In the
last couple of years, I was involved with several UDDI deployments as principal
consultant / architect, as well as authored several architecture
specifications, policies and best practices for fortune 500 companies.
I
believe I have knowledge and expedience to contribute to this group.
Best
regards,
Oleg
Mikulinsky
Director
of Enterprise Architecture
WebLayers,
Inc.