[
Lists Home |
Date Index |
Thread Index
]
Upon the request of eligible participants I have created an OASIS
Discussion List whose purpose is to discuss the creation of an OASIS
Technical Committee. Discussion on the list will begin in seven days
to give all interested people a chance to subscribe, and the list and
its archive will be deleted after 90 days. The list is
wssqop-discuss@lists.oasis-open.org
The proposal for the formation of the list is below.
In order to participate in the discussions on these topics you should
subscribe to the discussion list using the subscription form at
http://lists.oasis-open.org/ob/adm.pl or by sending a message to
wssqop-discuss-request@lists.oasis-open.org
with the word "subscribe" as the body of the message. OASIS membership
is not required in order to subscribe to this list. If you do not wish
to subscribe but wish to view the discussion you may view the list
archives at http://lists.oasis-open.org/archives/
</karl>
=================================================================
Karl F. Best
OASIS - Director, Technical Operations
+1 978.667.5115 x206
karl.best@oasis-open.org http://www.oasis-open.org
List name: WSSQoP-Discuss
(WSS QoP - Web Services Security Quality of Protection)
Scope and purpose of the TC under discussion:
To identify candidate solutions for communicating the required
security tokens and quality of protection for a Web service, taking
advantage of the common service definition tools, such as WSDL.
The solutions are intended to allow a service consumer to determine:
1. how to produce a SOAP message including security tokens and
protection mechanisms, in accordance with WSS, that is acceptable to
both the provider and consumer
2. whether the consumer is capable of performing the required security
processing on the response from a Web service.
Components of security policy include at least:
1. the set of acceptable types of security token
2. the set of acceptable cryptographic algorithms
3. (optionally) what key to use for encryption
4. the payload nodes to be protected.
The topic is potentially open-ended, leading to solutions for trust
policy, authorization policy, personal privacy policy, etc.. While
recognizing this, it is the intention to limit the identified
solutions to those that address the QoP of the initial mechanisms of
WSS. This is analogous to the "cipher suites" and "supported
algorithms" mechanisms of TLS and S/MIME, respectively.
In addition, the group will identify candidate process models for:
1. producing a WSDL instance from a security policy definition, and
2. producing a language-specific API from a WSDL instance.
In which security policies may be applied at:
1. design time (port type, binding),
2. deployment time (port, service) and
3. run time (dynamic).
Proposed activities of the TC under discussion:
- Prepare a full list of the components of a Web-Service security
policy
- Identify the subset of policy components required to support the
initial mechanisms of WSS
- Receive briefings on related activities (e.g. WSDL, UDDI, ebXML,
WSS)
- Propose and evaluate publication models
- Propose and evaluate process models
- Agree the next step
- Publish a summary report
Deliverables of the Discussion List:
- a decision whether to form an OASIS TC, and if yes a proposal to do
so
Sponsors of this proposal:
Zahid Ahmed, CommerceOne, zahid.ahmed@commerceone.com
Martijn de Boer, SAP, martijn.de.boer@sap.com
Yassir Elley, Sun, yassir.elley@Sun.com
Phillip Hallam-Baker, VeriSign, pbaker@verisign.com
Ron Monzillo, Sun, ronald.monzillo@sun.com
Tim Moses, Entrust, tim.moses@entrust.com
Tony Nadalin, IBM Nadalin drsecure@us.ibm.com
Robert Philpott, RSA Security, rphilpott@rsasecurity.com
Krishna Sankar, Cisco, ksankar@cisco.com
Discussion leader: Tim Moses, Entrust, tim.moses@entrust.com
|