Subject: Tomorrow's concall
I raised the following areas in today's call, but I would like the group to think about as well.My personal view is that the game starts for us once a producer can publish its security requirements to the consumer. For until that happens any producer expecting any type of security [other https which is already publishable] will have to be "out-of-band" registered/configured by the consumer. And at this point we have stayed away from defining/talking about formalizing "out-of-band" mechanisms. As I don't see either a standard [WS-Policy] or uniform interoperable implementations happening in the next 6 months a question to consider is whether we merely need to wait [and do nothing], define a simple [potentially temporary] publishing protocol in WSRP or articulate some other value/work product to produce here related to its out-of-band nature.
a. My feeling is that we should let the stack implementors drive security, and let WSRP, an application protocol, rely on the stacks for this support. I would like to look it the way we looked at attachments support.
b. Interop is going to be an issue particularly since stack level security supports may vary in their support for standards. Although desirable, plug-and-play interoperability for web services security may be harder to realize than the current interop levels we demonstrated.
c. There is also a danger of undercutting some of the security specs by making recommendations on what standards to use in what manner. To me that seems to be a slippery slope to follow.