OASIS Announcement of WSS QoP Discussion List

Date:      Fri, 13 Sep 2002 14:30:23 -0400
From:      Karl F. Best <karl.best@oasis-open.org>
To:        members@lists.oasis-open.org, tc-announce@lists.oasis-open.org, xml-dev@lists.xml.org
Subject:   OASIS announcement of WSS QoP discussion list

Upon the request of eligible participants I have created an OASIS Discussion List whose purpose is to discuss the creation of an OASIS Technical Committee. Discussion on the list will begin in seven days to give all interested people a chance to subscribe, and the list and its archive will be deleted after 90 days. The list is:

wssqop-discuss@lists.oasis-open.org.

The proposal for the formation of the list is below.

In order to participate in the discussions on these topics you should subscribe to the discussion list using the subscription form at http://lists.oasis-open.org/ob/adm.pl or by sending a message to:

wssqop-discuss-request@lists.oasis-open.org

with the word "subscribe" as the body of the message. OASIS membership is not required in order to subscribe to this list. If you do not wish to subscribe but wish to view the discussion you may view the list archives at http://lists.oasis-open.org/archives/

</karl>
Karl F. Best
OASIS - Director, Technical Operations
+1 978.667.5115 x206
karl.best@oasis-open.org
http://www.oasis-open.org

WSS QoP - Web Services Security Quality of Protection

List name

WSSQoP-Discuss

[i.e.] WSS QoP - Web Services Security Quality of Protection

Scope and purpose of the TC under discussion

To identify candidate solutions for communicating the required security tokens and quality of protection for a Web service, taking advantage of the common service definition tools, such as WSDL.

The solutions are intended to allow a service consumer to determine:

how to produce a SOAP message including security tokens and protection mechanisms, in accordance with WSS, that is acceptable to both the provider and consumer
whether the consumer is capable of performing the required security processing on the response from a Web service.

Components of security policy include at least:

the set of acceptable types of security token
the set of acceptable cryptographic algorithms
(optionally) what key to use for encryption
the payload nodes to be protected.

The topic is potentially open-ended, leading to solutions for trust policy, authorization policy, personal privacy policy, etc. While recognizing this, it is the intention to limit the identified solutions to those that address the QoP of the initial mechanisms of WSS. This is analogous to the "cipher suites" and "supported algorithms" mechanisms of TLS and S/MIME, respectively.

In addition, the group will identify candidate process models for:

producing a WSDL instance from a security policy definition, and
producing a language-specific API from a WSDL instance.

In which security policies may be applied at:

design time (port type, binding),
deployment time (port, service) and
run time (dynamic).

Proposed activities of the TC under discussion

Prepare a full list of the components of a Web-Service security policy
Identify the subset of policy components required to support the initial mechanisms of WSS
Receive briefings on related activities (e.g. WSDL, UDDI, ebXML, WSS)
Propose and evaluate publication models
Propose and evaluate process models
Agree the next step
Publish a summary report

Deliverables of the Discussion List

A decision whether to form an OASIS TC, and if yes a proposal to do so

Sponsors of this proposal

Zahid Ahmed, CommerceOne, zahid.ahmed@commerceone.com
Martijn de Boer, SAP, martijn.de.boer@sap.com
Yassir Elley, Sun, yassir.elley@Sun.com
Phillip Hallam-Baker, VeriSign, pbaker@verisign.com
Ron Monzillo, Sun, ronald.monzillo@sun.com
Tim Moses, Entrust, tim.moses@entrust.com
Tony Nadalin, IBM Nadalin drsecure@us.ibm.com
Robert Philpott, RSA Security, rphilpott@rsasecurity.com
Krishna Sankar, Cisco, ksankar@cisco.com

Discussion leader

Tim Moses, Entrust, tim.moses@entrust.com

Source: http://lists.oasis-open.org/archives/wssqop-discuss/200209/msg00000.html

Prepared by Robin Cover for The XML Cover Pages archive. See (1) "Web Services Security Specification (WS-Security)"; (2) other references in the news item of 2002-09-21: "Discussion Forum for Web Services Security Quality of Protection."

SEARCH Advanced Search ABOUT Site Map CP RSS Channel Contact Us Sponsoring CP About Our Sponsors NEWS Cover Stories Articles & Papers Press Releases CORE STANDARDS XML SGML Schemas XSL/XSLT/XPath XLink XML Query CSS SVG TECHNOLOGY REPORTS XML Applications General Apps Government Apps Academic Apps EVENTS LIBRARY Introductions FAQs Bibliography Technology and Society Semantics Tech Topics Software Related Standards Historic	OASIS Announcement of WSS QoP Discussion List Date: Fri, 13 Sep 2002 14:30:23 -0400 From: Karl F. Best <karl.best@oasis-open.org> To: members@lists.oasis-open.org, tc-announce@lists.oasis-open.org, xml-dev@lists.xml.org Subject: OASIS announcement of WSS QoP discussion list Upon the request of eligible participants I have created an OASIS Discussion List whose purpose is to discuss the creation of an OASIS Technical Committee. Discussion on the list will begin in seven days to give all interested people a chance to subscribe, and the list and its archive will be deleted after 90 days. The list is: wssqop-discuss@lists.oasis-open.org. The proposal for the formation of the list is below. In order to participate in the discussions on these topics you should subscribe to the discussion list using the subscription form at http://lists.oasis-open.org/ob/adm.pl or by sending a message to: wssqop-discuss-request@lists.oasis-open.org with the word "subscribe" as the body of the message. OASIS membership is not required in order to subscribe to this list. If you do not wish to subscribe but wish to view the discussion you may view the list archives at http://lists.oasis-open.org/archives/ </karl> Karl F. Best OASIS - Director, Technical Operations +1 978.667.5115 x206 karl.best@oasis-open.org http://www.oasis-open.org WSS QoP - Web Services Security Quality of Protection List name WSSQoP-Discuss [i.e.] WSS QoP - Web Services Security Quality of Protection Scope and purpose of the TC under discussion To identify candidate solutions for communicating the required security tokens and quality of protection for a Web service, taking advantage of the common service definition tools, such as WSDL. The solutions are intended to allow a service consumer to determine: how to produce a SOAP message including security tokens and protection mechanisms, in accordance with WSS, that is acceptable to both the provider and consumer whether the consumer is capable of performing the required security processing on the response from a Web service. Components of security policy include at least: the set of acceptable types of security token the set of acceptable cryptographic algorithms (optionally) what key to use for encryption the payload nodes to be protected. The topic is potentially open-ended, leading to solutions for trust policy, authorization policy, personal privacy policy, etc. While recognizing this, it is the intention to limit the identified solutions to those that address the QoP of the initial mechanisms of WSS. This is analogous to the "cipher suites" and "supported algorithms" mechanisms of TLS and S/MIME, respectively. In addition, the group will identify candidate process models for: producing a WSDL instance from a security policy definition, and producing a language-specific API from a WSDL instance. In which security policies may be applied at: design time (port type, binding), deployment time (port, service) and run time (dynamic). Proposed activities of the TC under discussion Prepare a full list of the components of a Web-Service security policy Identify the subset of policy components required to support the initial mechanisms of WSS Receive briefings on related activities (e.g. WSDL, UDDI, ebXML, WSS) Propose and evaluate publication models Propose and evaluate process models Agree the next step Publish a summary report Deliverables of the Discussion List A decision whether to form an OASIS TC, and if yes a proposal to do so Sponsors of this proposal Zahid Ahmed, CommerceOne, zahid.ahmed@commerceone.com Martijn de Boer, SAP, martijn.de.boer@sap.com Yassir Elley, Sun, yassir.elley@Sun.com Phillip Hallam-Baker, VeriSign, pbaker@verisign.com Ron Monzillo, Sun, ronald.monzillo@sun.com Tim Moses, Entrust, tim.moses@entrust.com Tony Nadalin, IBM Nadalin drsecure@us.ibm.com Robert Philpott, RSA Security, rphilpott@rsasecurity.com Krishna Sankar, Cisco, ksankar@cisco.com Discussion leader Tim Moses, Entrust, tim.moses@entrust.com Source: http://lists.oasis-open.org/archives/wssqop-discuss/200209/msg00000.html Prepared by Robin Cover for The XML Cover Pages archive. See (1) "Web Services Security Specification (WS-Security)"; (2) other references in the news item of 2002-09-21: "Discussion Forum for Web Services Security Quality of Protection."