From a strawman document "Web-Services Security Quality of Protection" posted by Tim Moses (see reference below): "Problem statement: WSS allows Web-service providers to implement a security policy. The term security policy is used in this context to mean: 'a statement of the requirements for protecting arguments in a WS API, including: (1) how actors are to be authenticated, using what mechanisms and with what parameter value ranges; (2) which XML elements are to be encrypted, for what individual recipients, recipient roles or keys, using what algorithms and key sizes; (3) which XML elements are to be integrity protected, using what mechanisms, with which algorithms and key sizes, and (4) what additional qualifications the service consumer must demonstrate in order to successfully access the API'. This is a relatively restrictive use of the term 'security policy'. A more comprehensive definition addresses such requirements as: (1) privacy (retention period, intended usage, further disclosure); (2) trust (initial parameters of the signature validation procedure, including those keys or authorities that are trusted directly, policy identifiers, maximum trust path length), and (3) non-repudiation (requirements for notarization and time-stamping)..."
Proposed activities of the TC under discussion
- Prepare a full list of the components of a Web-Service security policy
- Identify the subset of policy components required to support the initial mechanisms of WSS
- Receive briefings on related activities (e.g. WSDL, UDDI, ebXML, WSS)
- Propose and evaluate publication models
- Propose and evaluate process models
- Agree the next step
- Publish a summary report
Sponsors of the proposal
Zahid Ahmed, CommerceOne, email@example.com Martijn de Boer, SAP, firstname.lastname@example.org Yassir Elley, Sun, yassir.elley@Sun.com Phillip Hallam-Baker, VeriSign, email@example.com Ron Monzillo, Sun, firstname.lastname@example.org Tim Moses, Entrust, email@example.com Tony Nadalin, IBM Nadalin firstname.lastname@example.org Robert Philpott, RSA Security, email@example.com Krishna Sankar, Cisco, firstname.lastname@example.org
- Announcement: WSS QoP Discussion List
- 'Discuss creation of a WSS QoP TC' mailing list archive
- "Web-Services Security Quality of Protection." By Tim Moses (Entrust), with review and comment by Zahid Ahmed. Strawman document posted 2002-09-20 to the WSS QoP TC discussion list. September 17, 2002. 11 pages.
- List subscription: Use the subscription manager to subscribe to 'wssqop-discuss' or send email with the word "subscribe" as the body of the message. OASIS membership is not required in order to subscribe to this discussion list.
- OASIS Web Services Security TC (WSS)
- "Web Services Security Specification (WS-Security)" - Main reference page.