[wss] Issue on WS-Security and WSDL definitions

[David Orchard <dorchard@bea.com>]

Dear OASIS WS-Security TC,

The W3C Web Services Architecture Working Group would like to express its
concern about the lack of WSDL definitions for WS-Security elements in the
first version of the WS-Security specificaiton.  As a best practice, members
of theweb services architecture group believe that WSDL definitions should
be part of any specification of SOAP Modules.  We would like to encourage
the
WS-Security group to take up this piece of work in the first version of its
specification.  It appears that the issue is not so much the "goodness" of
this, rather the timing is the issue.  There are a variety of rationale for
including description in v1: 1) To ensure that the runtime aspects can be
described in a reasonable manner - it would be unfortunate if some headers
were difficult to describe in WSDL; 2) To promote interoperability.  The
importance of WSDL for interoperability is evident by the prominent place
that WSDL has in the W3C Web Services Activity and the WS-I Basic Profile.

We were made aware of the significant range of possible descriptions.  We
don't think it appropriate to venture into your domain and make a
recommendation on the extent of descriptions that should be provided
- such as trusted authorities, etc.  However, it is of our opinion,
though we could easily be mistaken, that a simple description of the
required WS Security elements in a given message is
doable in a reasonably short time frame.  We are certainly not advocating
a large (say a year or more) delay in schedule.

On behalf of the W3C Web Services Architecture Working Group,
Dave Orchard