-----Original
Message-----
From: Gene
Thurston [mailto:gthurston@amberpoint.com]
Sent: Thursday,
September 05, 2002 9:35
PM
To:
wss@lists.oasis-open.org
Subject: RE: [wss] WSS
Focus
I think we all know
that "WS-Security" (short for "Web Services Security") is a bit of a
misnomer, in that it only really deals with (basically) three specific
security topics in the context of web services:
1.
The inclusion of
security tokens (of any kind).
2.
Digitally
signatures in SOAP messages via XML Signature.
3.
Encryption in SOAP
messages via XML Encryption.
Essentially, only
these pieces of SOAP message security, and clearly not the full spectrum of
"security for web services". The charter and scope of our TC, which
was published prior to our first meeting, and which we all "clarified",
voted on, and accepted yesterday, stated only that we will deal only with
the WS-Security specification (i.e., the above three items), along with some
"profiles" for a select list of some of the more commonly used security
tokens.
I firmly believe
that topics such as:
- WSDL work for
publishing what a web service can/will allow,
- "in-line"
negotiation of quality of security,
- and all those
other important aspects of security that are necessary in the broader
sense of the term "Web Services Security",
are important (and
in some cases CRITICAL) for web services to be fully utilized by
industry.
That said, I have
to agree with those who point out this was not in the original TC charter,
and that others may have attended had they seen this in the charter.
Therefore, I must conclude that we should not increase the scope of our work
to include these items. I just wish our TC was not called "Web
Services Security", since that undoubtedly will conjure up the image that we
will solve all security issues related to web services.
- Gene Thurston
-
AmberPoint,
Inc.
-----Original
Message-----
From: Munter,
Joel D [mailto:joel.d.munter@intel.com]
Sent: Thursday,
September 05, 2002 4:32
PM
To:
wss@lists.oasis-open.org
Subject: RE: [wss] WSS
Focus
It is my
humble opinion that we should eventually create a real Web Services Security
[set of] Specification[s] with the first significant deliverable being the
SOAP Security Header ("core") Specification described by WS-Security and the
additional profile doc's that we discussed at the FTF. We should
absolutely target these 1st deliverables as soon as is feasible. If
the charter and scope need to be readjusted after the closure of these first
deliverables then so be it, let's adjust them; and then taking into account
comments heard from Hemma and others today, we should advertise the
scope/charter changes and invite new
contributors.
-----Original
Message-----
From: Jan
Alexander [mailto:alex@systinet.com]
Sent: Thursday,
September 05, 2002 4:04
PM
To:
wss@lists.oasis-open.org
Subject: [wss] WSS
Focus
I think we should answer a
question, if we want to create real Web Service Security specification or
just SOAP security header specification. We should do it in very short
time.
Because in Web Service Security
specification, we should handle issues for example with in-band negotiation
(for example for security token type, or the QoS and whatever else), proof
of possession, WSDL extensibility elements for declarative security
information (required QoS, etc.) and many other things in the
core spec. We can of course do it in steps, explicitly stating what
will be in the 1.0 version of the spec.
On the other hand, if we want to
just specify SOAP message header, we need only to cope with the attaching
opaque (from the spec point of view) security tokens with the message and
cryptographic binding of these tokens with the message (by means of XML
Signature and XML Encryption) in the core spec. We can then say,
that everything else is out of the scope of the core
spec.
I think the answer to this
question should give us background for the requirements document. The
use-cases document will be influenced very much by this answer as
well.