WSWS Wednesday 11 April afternoon sessions

Go to the complete list of minutes.

Wednesday 11th April 2001, afternoon session I

Interoperability - Marwan Sabbouh, Mitre

Q (Tim Berners-Lee): Can you be more specific about security challenge?

A: WSDL is in clear format. Also, extending services beyond the firewall creates new security issues.

Q (Mark Miller): Software engineering have not been very successful about that until now.

A: We cannot fail.

Q (Mark Miller): The others could not fail either.

Q (Sankar Virdhagriswaran): You are talking about introducing QoS at the transport level. There are implications about that at the Web service level.

A: It has to be defined at the XMLP and intermediares level.

Q (Andrew Layman): There are QoS implications at all levels. Maybe this is precisely why all this should be thought of the global architecture.

Q (Eric Stammers): What about context? Web services involve scenarios such as "I am performing that on behalf of...".

A: Those issues are being worked on in the XMLP Working Group.

Q (???): Each server becomes aware of the path of the original query. I think that this is a good thing.

Q (Jags Ramnarayan): WSDL is not sufficient and needs to be extended to add semantics. You are getting into ontologies. Who do you think should work on this?

A: It tells you how to access the service. Maybe it would need an industry-specific standard.

Web Services - Gerald Edgar, Boeing

Q (Mark Miller): In other areas of engineering, there are things that are possible and impossible. Are you talking about copy protection? How does computer security help protect intellectual property?

A: help that they have provided us.@@@

Q (James Snell): A very important point is that we must not make it hard to use. However, I think that for things to be complex as long as they are easy to use.

A: Tools are important. It is a sales job even internally to make people use the right architecture. Having tools to make a technology easy to use is very important.

Q: People use EDI within Boeing. Could you talk a little EDI?

A: Negotiated capabilities within two partners = EDI. Information sources for EDI may be of interest to other applications.

Q (Roger Cutler): Security is important. It is difficult to have a decent information protection implementation when people have lots of user/passwords. A good information protection implementation means limiting the number of users.

Q (???): You talked about stable addresses. Do we have to consider about how to advertize changes? For example, vocabularies could change. Version control is a good thing but I don't think that it's enough.

A: The services are registered. Changing the services implies changing the registration.

Q (???): However, do I really want to use the latest version of the service?

A: We have a registry of XML object definitions.

Q (Sankar Virdhagriswaran): What will help your job easier in setting this system? You have to involve a bunch of suppliers. Now this is going to be automated for some things.

A: I can't assume that any application will change unless they are wanting to change. There are gateways to get old application to access the new application. Usually, old applications don't change, but modules are added for new capabilities.

Enabling Shared Context - Anne Thomas Manes, Sun

Q (Tim BL): CC/PP does pretty much what you want for capabilities negotiation. P3P does it for privacy.

A: P3P does not allow the individual to express its privacy policies. CC/PP is targetted at devices.

Q (TimBL): Not only. CC/PP is generic. You can write your vocabulary.

Q (???): Who manages this information about me? How is it protected?

A: I want to have control and ownership of my personal information.

Q (Sankar Virdhagriswaran): Basically, what you are doing is delegation.

A: What I am doing is passing a reference to a service.

Q (???): XNS stands for Extensible Name Service. It is a global identity management service. It allows complete control on the information access, which is pretty much what you were describing.

Q (Paul Cotton): I wanted to follow up on P3P. The service would publish its privacy policy. The other end of the service would decide if it wants to accept the terms of the contracts or not. Can we apply P3P to Web services?

A: With P3P, the server specifies the policy. I as a user want to do that..

Q (Andrew Layman): Do you imagine that there will be one unique ontology about all that?

A: I would leave that to the verticals to define their own ontology. You can have as many ontologies as you want to have, but you cannot have a single governing body.

Q (???): You need to have the ontologies to agree on some information.

A: I like the HP description of the vocabularity. The market will determine which vocabulary is the most efficient.

Q (Noah Mendelsohn): There is a need for disconnected scenarios. There are situations when that kind of negotiation won't work. I am not saying that everything should be conceived for disconnected scenarios, but those scenarios have to be taken into account.

WSDL / Business Process Breakout

Web services are horizontal, and other technologies are attacking more vertical problems.

Applying workflow to Web services require being very precise about boundaries. How do you get orchestration to work taking latency into account: either you do care about latency (since there is latency on the Web) or you do not care about that at all. Hence you need flexible transaction models for service orchestration to work.

How should we move forward with service description? Start with ebXML TP versus start with WSDL. ebXML TP has been out there for about 18 months and people have looked at it already.

Paul Cotton: there are 30 submitters of WSDL to convince that ebXML TP is better than WSDL for a starting point. In the user community of the Web, the bottom-up approach is more likely to work. Adding 4 of 5 things at once is not a good idea, regardless of the number of people.

Frank DeRose: My company was a co-submittor WSDL, but we do want to consider other technologies too. For XML Protocol, that is what happened.

Paul Cotton: Actually, the charter talks about SOAP. The protocol matrix you are talking about came before the creation of the Working Group. The WSDL suggestion did suggest that a Working Group should look into this area.

Matthew Fuchs: Several submissions of schema languages were submitted to W3C. The Working Group ignored them and that was in my opinion a mistake.

SanjivaWeerawarana: Do we want to request the creation of a Working Group for service description?

Eric Stammers: Service description need to include information about proper usage of the service with regard to sequencing. We should separate service interface description from service usage.

Sanjiva Weerawarana: The sequencing in the IBM world is WSEL. The next level is orchestration of services (both local and remote).

Eric Stammers: You can represent nothing but the interface in the orchestration language. How does the client

Glen Daniels: You can tie individual nodes to tasks.

Eric Stammers: CDL is a way to communicate

Paul Cotton: How much of this to do phase II (static case of the HP presentation)?

Eric Stammers: In phase II, it is useful to discover the interface and the sequencing, but ideally you would be pointed to the service and learn about it on the screen.

Paul Cotton: Are people likely to pick up WSDL without the other pieces?

Eric Stammers: Some compositions will be 100% automated. Some will be the case of finding a service that could be a good match, a "help me buy something" kind of scenario.

Scoping of orchestration: static processes to dynamic processes.

Eric Stammers: Compositions as new services's issues. We don't seem to have use cases for Web services. What do services need to provide so that they can be composed?

Service description requirements:

How do the various business transaction activities relate to transactional properties of business processes?

Paul Cotton: we have to find how everything relate to W3C technologies.

Steve Zilles: Whatever I describe, I need to know whether it's queriable.

Paul Cotton: For every charter you write, you will have to point out the work that you are not going to do.

See also the notes by Sanjiva.

Report of the breakout sessions

Web description / orchestration; chaired by Sanjiva Weerawarana

See slides.

Semantic Web and Web services; chaired by Eric Prud'hommeaux

Relationships between SW and WS.

Characterized what WS do. Semantic Web provides logic. Talked about UML.

WS can be seen as a SW application. It would be nice if WS is in native SW language, such as RDF.

Did not talk about topic maps at all.

Security; chaired by Mark Miller.

Whiteboard 1. Whiteboard 2. Whiteboard 3.

Came up with 5 points:

  1. We need a single integrated solution to security within web services.
  2. We need to be able to solve the problem of security interactions between trusted parties. (e.g. corporate trading partners).
  3. We also need to be able to solve security issues in interactions between mutually suspicious parties. (i.e. strangers on the internet).
  4. These may be poles of a continuum of relevant "level of trust" scenarios.
  5. We need to be able to transmit authority levels and limitations of authority.

Preference would be to have one coherent solution.

Web: no global coordination, fully decentralized solution.

Small number of parties: the global coordination is fine.

Principal of the least authority. Transfer authority to some agent that needs to act on your bahalf; give it only what is needed.

Q: What is the minimum amount of security needed to enable the most common Web services in the next 2 years?

A: With capabilities, you can do all the things that we need to do on the open networks, but are also incredibly simple. See and also E-Speak for example of use of capabilites. E-Speak is based on SPKI.

Q: How much the security constraints would go into the underlying protocol?

A: You need to understand the application (?).

Q: Although I sympathized with the desire to create a decentralized mechanism, in reality, you need someone to trust.

A: The issue is not to have no delegation.

Q: What about auditing?

A: The lack of attention to auditing is a lack of attention to security. There is a general feeling that this area needs attention.

Q: Did you consider any security model?

A: No time.

Hugo Haas