RE: [wss] Fwd: WS-Security specs make their debut

[Anthony Nadalin <drsecure@us.ibm.com>]

Jeremy,

The press was well onto WS-Security and the roadmap before the OASIS TC was
formed, thus its a natural to continue on same theme, I see no wrong doing
here by the companies involved in the specifications or by the press.

Anthony Nadalin | work 512.436.9568 | cell 512.289.4122


|---------+---------------------------->
|         |           Jeremy Epstein   |
|         |           <jepstein@webmeth|
|         |           ods.com>         |
|         |                            |
|         |           12/24/2002 07:45 |
|         |           AM               |
|---------+---------------------------->
  >----------------------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                                              |
  |       To:       Jerry Schwarz <jerry.schwarz@oracle.com>, Kelvin Lawrence/Austin/IBM@IBMUS, Ed Reed <ereed@novell.com>                       |
  |       cc:       ckaler@microsoft.com, Ed Reed <EReed@novell.com>, Gary Hein <GHein@novell.com>, Shawn Dickerson <SDICKERSON@novell.com>,     |
  |        Sarah Mees <SMees@novell.com>, Winston Bumpus <WBUMPUS@novell.com>, wss@lists.oasis-open.org                                          |
  |       Subject:  RE: [wss] Fwd: WS-Security specs make their debut                                                                            |
  >----------------------------------------------------------------------------------------------------------------------------------------------|




Jerry,

I partially agree and partially disagree with you.  I agree that we
shouldn't blame the press; the names are confusing.  But I disagree on
renaming this group's work to use "SOAP Security" rather than "Web Services
Security".  The term Web Services is understood, to one degree or another,
by the vast IT populace.  The term SOAP is not. The buzz is around Web
Services, not around SOAP.  One reason why this committee is able to get so
much participation and press is that Web Services are the buzzword de jour.
If we switch names, we risk losing visibility, and hence participation, and
potentially momentum.

I know that's a crass marketing view, but I'd hate to see this group lose
out because of poorly chosen language in a press release from some major
companies.

Perhaps the solution is for committee members who work for some of those
companies to lobby them to clean up their marketing message.  Yes, we all
know that these new specs are part of the original Roadmap.  But using the
terminology once it's become identified with a standards organization is
poor form.

--Jeremy
 -----Original Message-----
 From: Jerry Schwarz [mailto:jerry.schwarz@oracle.com]
 Sent: Tuesday, December 24, 2002 12:10 AM
 To: Kelvin Lawrence; Ed Reed
 Cc: ckaler@microsoft.com; Ed Reed; Gary Hein; Shawn Dickerson; Sarah Mees;
 Winston Bumpus; wss@lists.oasis-open.org
 Subject: Re: [wss] Fwd: WS-Security specs make their debut


 I don't think we should blame the press. This confusion was an inevitable
 consequence of the poorly chosen name of the committee. "Web Services
 Security" is understood by people who aren't intimately familiar with the
 documents and committee charters as including all the areas (and perhaps
 more) that are covered by the roadmap.The natural assumption is that the
 scope of a "Web Services Security" working group would encompass all that.


 The authors of IBM's web page (I haven't look at Microsoft's yet) add to
 the confusion with the subhead

   "New specifications improve the WS-Security model"

 You can explicate that subhead so that it is technically correct, but as
 far as I'm concerned you can't eliminate the suggestion that "improving
 the WS-Security model" is or ought to be within the scope of a technical
 committee responsible for "WS-Security".

 One of the documents is referred to as "WS-Security Policy" and describes
 itself as

     This document is an addendum to WS-Security and indicates the policy
 assertions for
     WS-Policy which apply to WS-Security.

 I haven't read the document, and I assume that it is what we would call
 profile, but calling it an "addendum to WS-Security" certainly suggests it
 is something of concern to the technical committee responsible for
 WS-Security.

 It is probably too late to do anything about the committee's name, but it
 isn't too late to do something about the document titles. I believe we
 should reconsider the use of "Web Services Security:" as the tag. I
 propose the description we choose for the core document as the tag.

 So the core document would be

     Soap Message Security: Core

 And the profiles would be

     Soap Message Security: XYZ Profile

 At 06:51 AM 12/20/2002, Kelvin Lawrence wrote:

       Hi Ed,  thanks for the note, I think the press article you
       referenced was unfortunately very poorly worded and seems to use the
       phrase "WS-Security" in a generic sense where the phrase "security
       roadmap" would  have been more accurate.

       As I know you are aware, IBM and Microsoft produced a Web services
       security roadmap back in April, along with the roadmap, a single
       concrete specification called WS-Secuirity was also produced.
       WS-Security was outlined in the roadmap as the basis for the rest of
       the specifications in the roadmap. WS-Security was consequently
       submitted to OASIS and the WSS TC was chartered.

       What IBM, Microsoft,Verisign, RSA Security, BEA  Systems and SAP
       have done this week is to deliver drafts of some of the other
       specifications described in the roadmap. As you recall the WSS-TC
       did not want to assume the responsibility of the roadmap, and at our
       first F2F in September the charter was clarified after a lot of
       discussion to make it clear what the scope of the TC was. The
       roadmap itself was not submitted to the TC in any formal way.

       So while I agree the article you pointed us all to is poorly worded,
       the WSS-TC has not undertaken any new specifications in your absence
       or anything like that  and the charter has not been changed. I spoke
       to some of the people who participated in the announcement of these
       new specs and they told me that it was made very clear that these
       were new specs being delivered as part of filling out the roadmap.
       Unfortunately this particular journalist seems to have used some
       incorrect words and confused WS-Security with the overall roadmap. I
       have seen other articles this week that do focus on the roadmap more
       accurately.

       Also, some of the other press articles I have seen do go on to say
       that the authors of the new specifications intend to take the
       specifications to a standards body which is accurate coverage. As of
       today, the new specifications are published to the respective
       author's web sites to allow people to comment on them.

       I hope this clears things up a bit, and likewise best wishes for a
       safe and happy holiday period to you and all of our TC members.

       Cheers
       Kelvin