IRC log of ws-arch on 2002-06-13

Due to log merging, there may be timestamp weirdnesses.

07:03:42 [RRSAgent]
RRSAgent has joined #ws-arch
07:04:02 [hugo]
hugo has changed the topic to: WSAWG face-to-face meeting; IRC log at: http://www.w3.org/2002/06/13-ws-arch-irc
07:04:08 [Heather]
good morning
07:04:23 [hugo]
good morning Heather
07:05:09 [dbooth]
Yowzer, you're up earlier Heather! (Or late!)
07:05:22 [Heather]
early.... yawn
07:05:43 [Heather]
how was dinner???
07:06:53 [dbooth]
I actually skipped the group dinner, cuz i had more work to do on my slides for today. But I had a nice quiet dinner at a cafe in front of my laptop.
07:07:56 [Heather]
you are too dedicated :-)
07:08:17 [chris]
chris has joined #ws-arch
07:12:37 [soliton]
soliton has joined #ws-arch
07:12:45 [soliton]
morning, Heather
07:13:01 [soliton]
Did you get the message yesterday?
07:13:23 [MChapman]
MChapman has joined #ws-arch
07:13:33 [Heather]
about a requirements meeting after the meeting today?
07:14:06 [soliton]
we try to have a reliability meeting after 5:00 pm
07:14:23 [soliton]
so, just stay tuned
07:14:37 [Heather]
ok
07:16:54 [TomCarrol]
TomCarrol has joined #ws-arch
07:16:59 [Roger]
Roger has joined #ws-arch
07:17:15 [Roger]
Hi Heather. Is it 3 AM there?
07:18:17 [TomCarrol]
It feels like 3 am here
07:19:26 [Heather]
yes... its 3am
07:19:47 [mikem]
mikem has joined #ws-arch
07:19:47 [Heather]
I haven't seen 3am since my last child was born!
07:19:49 [chris]
http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0435.html
07:19:54 [chris]
scribe: tomc
07:20:14 [Heather]
Tom...must have been a good dinner :-)
07:20:16 [shishir]
shishir has joined #ws-arch
07:20:34 [yinleng]
yinleng has joined #ws-arch
07:20:51 [yinleng]
yinleng has left #ws-arch
07:20:52 [AllenBr]
AllenBr has joined #ws-arch
07:20:54 [jdmunter]
jdmunter has joined #ws-arch
07:21:43 [dougb]
dougb has joined #ws-arch
07:25:23 [TomCarrol]
Comments on the rewording of D-AC002.3.1
07:27:33 [Heather]
i don't see an ac002.3.1....
07:29:43 [TomCarrol]
dougs email is listed above
07:31:08 [Daniel]
Daniel has joined #ws-arch
07:31:57 [Heather]
I'm not sure I understand the wording still....
07:32:07 [Daniel]
which wording? old or new?
07:32:09 [Heather]
and what happened to the superset concept?
07:32:10 [Heather]
new
07:32:39 [Daniel]
I don't understand the new either, I support the old wording
07:32:55 [Daniel]
we are trying to get at modularization
07:35:26 [TomCarrol]
D-AC002.3.1 tabled for further thought
07:36:29 [Heather]
subsets of what??? the architecture? the end user interface? Is this like a wsi profile?
07:36:49 [Daniel]
technologies developed for the arch.
07:38:05 [Roger]
Roger has joined #ws-arch
07:38:06 [Daniel]
ws-i profile is very similar idea
07:38:37 [TomCarrol]
Suggestion to drop "intended audience" from D-AC005
07:40:41 [Heather]
seems ok...
07:41:07 [dougb]
what was KIS^5 (simple, scalable, ...)?
07:42:02 [TomCarrol]
Roger: moves to accept it as is
07:44:13 [TomCarrol]
D-AC005 accepted.
07:44:28 [TomCarrol]
Comments on D-AC005.1
07:45:08 [Heather]
what is the gist of the comments?
07:45:38 [Daniel]
basically, ppl are arguing over the words, not the meaning
07:45:47 [Daniel]
it needs some wordsmithing
07:46:07 [Heather]
ok
07:47:18 [Daniel]
we are going to explicitly modify the statements with the "should" qualifier
07:47:45 [TomCarrol]
JeffM: proposed to drop.
07:49:22 [Heather]
why?
07:50:18 [Daniel]
Jeff sez: it isn't enforceable
07:50:43 [Daniel]
David O advocates specialized jargon
07:50:43 [TomCarrol]
DaveO: its all jargon and we will use jargon to describe web services
07:52:58 [TomCarrol]
Those who care will resolve independantly.
07:53:24 [TomCarrol]
those who care: Daniel and Alan
07:53:32 [jeffm]
jeffm has joined #WS-Arch
07:54:05 [TomCarrol]
Comments on D-AC005.10
07:54:26 [TomCarrol]
Accepted
07:54:39 [chris]
resolved: d-ac005.10 accepted
07:55:20 [Heather]
what happened to 5.5-5.8?
07:55:22 [TomCarrol]
Comments on D-AC005.13
07:55:51 [omh]
omh has joined #ws-arch
07:55:51 [Heather]
what are exotic constructions?
07:55:56 [dbooth]
Can someone give me the requirements doc URL again?
07:56:11 [Heather]
http://www.w3.org/2002/ws/arch/2/06/wd-wsa-reqs-20020605.html#AC002
07:56:15 [chris]
resolved: remove d-ac005.13
07:56:21 [dbooth]
Thanks heather!
07:56:24 [Heather]
np
07:56:50 [Roger]
Roger has joined #ws-arch
07:57:16 [TomCarrol]
Comments on D-AC005.14
07:58:08 [Heather]
i think this one has no relationship to simpleness or completeness of the architecture
07:58:14 [Daniel]
*wonders how to tell if 5.14 makes any sense at all*
07:58:57 [Heather]
i propose to drop (if someone hasn't beaten me to it)
07:59:29 [Daniel]
we could specify the maximum cyclomatic complexity I guess
07:59:34 [Daniel]
*not*
07:59:43 [Heather]
:-)
08:00:08 [TomCarrol]
DaveO: the goal as stated sounds good but there is no clear definition of what large amounts of code.
08:01:44 [Heather]
even a simple arch can require large amounts of code depending on how the vendor choses to implement it
08:01:49 [shishir]
shishir has joined #ws-arch
08:01:54 [TomCarrol]
Roger: thinks it is important
08:02:24 [Daniel]
I just don't care how much code it uses...more != bad code
08:02:46 [Daniel]
the amount of code is not a measure of its quality
08:02:50 [Heather]
i don't want us to NOT add valid components because they require large amounts of code
08:02:58 [Daniel]
right
08:03:22 [Heather]
i.e. security - there is NO way that bugger is NOT going to require HUGE amounts of code (by anyones definition)
08:03:36 [Daniel]
security = ugh
08:03:57 [Heather]
(I agree Daniel)
08:04:05 [TomCarrol]
JeffM: the union of all participants causes the size to increase
08:05:24 [TomCarrol]
Roger: Its important that simple things must be able to be done in simple ways avoiding unessary complexity and size.
08:06:20 [Heather]
I agree with a csf of 'avoid unnecessary complexity and size'
08:06:28 [TomCarrol]
Roger: Cut it
08:06:32 [jeffm]
More precisely: the process of getting everyone to remove their "lie down in the road objections" often causes lots of extra complexity
08:06:45 [chris]
resolved: d-ac005.13 removed
08:07:01 [chris]
s/13/14/
08:07:01 [Heather]
13? or 14?
08:07:05 [soliton]
Artifacts in the reference architecture should be defined in UML where applicable.
08:07:19 [TomCarrol]
Comments on D-AC005.15
08:07:41 [Daniel]
dear soliton: no bloody way
08:07:42 [TomCarrol]
Daniel: Drop it
08:08:28 [hugo]
hugo has joined #ws-arch
08:08:38 [Heather]
having a goal to allow simple invocation styles may be something we don't want to lose
08:08:43 [Daniel]
Uml bears the same relation to architecture that theology bears to religion, that is, none at all
08:08:52 [soliton]
why? UML is well estabilished.
08:09:11 [TomCarrol]
Glenn: this refers to clean modularity
08:09:14 [soliton]
most programmers now are used to UML
08:09:18 [MChapman]
and is excellent to defnng architectures
08:09:23 [soliton]
it helps the spec to be adopted.
08:09:36 [GlenD]
GlenD has joined #ws-arch
08:09:50 [Daniel]
I love UML, I teach UML, I don't abuse UML by attempting to do something with it that it is not good at i.e. architecture
08:09:53 [yinleng]
yinleng has joined #ws-arch
08:10:11 [Heather]
what would you use instead Daniel?
08:10:16 [MChapman]
define architecture
08:10:20 [TomCarrol]
Gle to reword D-AC005.15
08:10:32 [MChapman]
blobs that interconnect
08:10:35 [TomCarrol]
Glen to Reword D-AC005.15
08:10:55 [jeffm]
From my perspective: UML is simply a language
08:10:55 [soliton]
soliton is puzzled by Daniel.
08:10:55 [Heather]
Glen to reword to capture what gist?
08:10:55 [Daniel]
I like SDML personally
08:11:32 [soliton]
how many of us know SDML?
08:11:40 [Heather]
i never even heard of it....
08:11:42 [Daniel]
UML is okay, for software applications
08:11:50 [soliton]
let alone average programmers
08:11:57 [jeffm]
What's SDML - Structured Data Manipulation Language ???
08:11:59 [Daniel]
but which of the 10 class 1 UML diagrams is good for architecture?
08:12:11 [jeffm]
#'s 3 and 7
08:12:27 [soliton]
component diagram
08:12:34 [soliton]
use cases
08:12:53 [soliton]
and so on ..
08:13:04 [Daniel]
hmmm...Jeff sez, collaboration and component...nowhere do I get to specify the messaging
08:13:09 [TomCarrol]
Glen: the rewording will worded along the lines of "every one can play".
08:14:01 [Daniel]
I am willing to give gound on this one, up to the point where we *require* UML to be used
08:14:01 [TomCarrol]
Chris: anyother low hanging fruit????????
08:14:03 [soliton]
where, in most cases you can specify the messaging
08:14:11 [MChapman]
wots messaging to do with architcture
08:14:18 [soliton]
note that I said "where applicable"
08:14:19 [TomCarrol]
Zula: did we dicuss 21??????
08:14:26 [Daniel]
architecture us *all* about messaging
08:14:33 [Daniel]
us = is sorry
08:14:54 [soliton]
I don't quite agree on that one.
08:15:22 [soliton]
problem partitoning and use cases are also large part
08:15:35 [jeffm]
Daniel: will you allow UML to be used if someone wants to use it in a spec?
08:15:41 [Daniel]
sure
08:15:53 [Daniel]
so long as it is not *required*
08:16:21 [MChapman]
it ceratinly should mean anything w.r.t conformance
08:16:23 [MChapman]
should not i mean
08:16:31 [soliton]
did the word "should" qualify as your not *required* ?
08:16:39 [jeffm]
I think you're trying to stand up in front of tidal wave, but that's your choice
08:16:43 [MChapman]
yes sorry fingers to fast
08:16:49 [Daniel]
I'll go for "may"
08:17:21 [soliton]
I guess we can have a vote on the choice here.
08:17:26 [TomCarrol]
DaveO: He and Hugo discussed the XML schema (10.1) issue and found the usage of "should' would be acceptable.
08:18:05 [Daniel]
as Jon Bosak would say (about UML) "I want my data back"
08:18:15 [soliton]
how come 10.1 is not in the editor's copy?
08:18:21 [Daniel]
the business comics are not data, pictures are not data
08:18:29 [dougb]
because it's underneath 011
08:18:44 [MChapman]
pictures say a 1000 words:)
08:18:44 [soliton]
thanks, dougb
08:18:55 [soliton]
totally agree with MChapman
08:19:01 [jeffm]
I've seen these fights about requiring UML in other forums. What I've observed is that eventually everything starts showing up as UML, and pretty soon it becomes established in the culture. To the point where discussions of whether to make it mandatory or not becomes irrelvant.
08:19:01 [Daniel]
yeah but you can't get your 1K words back
08:19:34 [Daniel]
actually Jeff, I'm pushing it hard in my org.
08:19:35 [Daniel]
for the software devs
08:19:56 [GlenD]
Proposed rewording of D-AC005.15:
08:20:02 [GlenD]
It shall follow the principles of well-modularized design to allow both extremely simple and more complex participants in Web Service interactions.
08:20:46 [omh]
that appears to work ok...
08:20:57 [jeffm]
Sure, like all new shiny "cool" toys (...err I mean tools ;-) people start trying to use it for everything. Eventually they settle down, and stop using the pliers to bang in nails (except when they've lost their hammer.)
08:22:40 [Heather]
where are the 'principles of well-modularized design found'?
08:22:42 [Daniel]
rephrase of Geln's proposal: "It will follow the principles of modularized design in order to allow interactions at different levels of complexity among Web Services"
08:23:27 [Daniel]
You can read them here Heather: http://www.w3.org/TR/xhtml-m12n-schema/
08:23:47 [TomCarrol]
Resolution AC0010.1 accepted
08:23:48 [Daniel]
Jeff: I agree
08:23:48 [chris]
resolved: glen resolved: AC010.1 Each new architectural area that has a representation SHOULD be normatively defined using XMLSchema
08:23:48 [Heather]
the interactions are simple->complex... not the participants, right?
08:24:19 [soliton]
I like Daniel's rewording.
08:24:26 [Daniel]
right
08:26:17 [Heather]
how about 'in order to allow both simple and complex interactions with Web Services'
08:26:23 [GlenD]
+1 to Daniel's rewording.
08:26:51 [GlenD]
Heather: I don't think that's general enough
08:26:52 [Heather]
but the participants are not always web services... so among web services doesn't seem right...
08:27:16 [soliton]
the complexity is about interactions, bot participants
08:27:29 [GlenD]
By "participants" I was trying to get at the idea that you can build simple or complex programs to do simple or complex interactions...
08:27:40 [TomCarrol]
Comments on D-AR011.1
08:27:49 [GlenD]
i.e. both design and runtime have a smooth spectrum of complexity if we do this right
08:27:53 [Heather]
so... complexity is about participants?????
08:27:55 [soliton]
so i'd stick with Danel's wording.
08:28:11 [Roger]
Roger has joined #ws-arch
08:28:12 [Daniel]
we could change "among" -> "with"
08:28:19 [GlenD]
Or we can be more explicit
08:28:28 [Heather]
daniel's applies to complex interactions... not participants
08:28:51 [TomCarrol]
DaveO: The process takes care of this requirement.
08:29:10 [GlenD]
"It will follow the principles of modularized design in order to allow programs and web service interactions to smoothly scale in complexity."
08:29:26 [Heather]
i can live with this as daniel has it with 'among'->'with'
08:29:27 [soliton]
not as good as the previous one
08:29:32 [TomCarrol]
Resolved D-AR011.1 removed
08:29:32 [Heather]
not a lie down in the road
08:29:37 [chris]
resolved: d-ac011.1 removed
08:29:49 [Daniel]
whoohoo break time!
08:29:51 [soliton]
word such as smoothly will only cause confusing
08:30:07 [Daniel]
*participants retreat to their corners, breathing hard*
08:30:27 [Heather]
:-)
08:30:29 [soliton]
round 2 will start in 15 mintures
08:30:44 [Heather]
i'm just going to close my eyes for one minute....
08:30:47 [TomCarrol]
After the break the draft out line of the Arch. Doc
08:31:11 [omh]
see you in 4 hours then heather :)
08:31:19 [Heather]
:-)
08:31:20 [Daniel]
lol
08:31:58 [chris]
20 minute break
08:36:07 [Roger]
Roger has joined #ws-arch
08:37:05 [dbooth]
dbooth has joined #ws-arch
08:46:07 [GlenD]
"It will follow the principles of modularized design in order to allow interactions with Web Services at different levels of complexity"
08:46:25 [GlenD]
That's my final offer. :)
08:46:42 [jdmunter]
jdmunter has joined #ws-arch
08:47:06 [joe]
joe has joined #WS-ARCH
08:47:38 [David]
David has joined #ws-arch
08:47:44 [joe]
Hello wsa world!
04:45 [David]
I've finally got the editors draft of the arch document on the site. It's at http://www.w3.org/2002/ws/arch/2/wd-wsawg-arch-06132002.html
04:45 [David]
the "wd" is actually incorrect, it's an editors draft
04:50 [David]
ok, reload the doc if you have already loaded as I updated the conceptualmodel.jpg based upon eric's updates.
04:52 [Daniel]
did Heather go off to sheep-land?
04:52 [chris]
okay, we're baaaack
04:52 [Heather]
i'm back
04:52 [Heather]
barely
04:52 [Daniel]
you're a trooper anyway
04:52 [soliton]
where is the jpg?
04:53 [David]
soliton, it's referenced in the arch document
04:54 [soliton]
oh, i see.
04:55 [soliton]
what is the url for the arch doc?
04:56 [Heather]
we always saw QOS as a vertical like management and security
04:56 [soliton]
agree with heather
04:56 [Daniel]
hey Heather - you are from IBM, aren't you supposed to say "seperation of concerns"?
04:57 [hugo]
Document discussed: http://www.w3.org/2002/ws/arch/2/wd-wsawg-arch-06132002.html
04:57 [David]
lol
04:58 [Heather]
i may just be sleepy... but having qos as a verticle does allow us to do something appropriate (and perhaps orthogonal) at each layer of the stack...
04:58 [David]
Heather, I've got RAS still imprinted on my forehead...
04:58 [Heather]
:-)
04:58 [David]
Heather, we're not *quite* talking about the diag yet...
04:58 [Daniel]
Roger: you can get the xmlspec.xsl at: http://dev.w3.org/cvsweb/spec-prod/html/xmlspec.xsl
05:01 [Heather]
ok... I'll wait my turn
05:01 [chris]
we're on the conceptual model diag now
05:02 [Heather]
can someone capture the gist of the conversation for me???
05:02 [chris]
now we're on system diag
05:03 [chris]
david is describing intent of these diags
05:03 [chris]
conceptual model is to basically identify the related concepts
05:03 [TomCarrol]
We are now on the the stack diagram
05:04 [chris]
sect 1.3 overview (stack diag for starters)
05:04 [Heather]
I don't understand the caching block in this context...
05:05 [TomCarrol]
We are now on 2.3 Security
05:08 [Heather]
the bottom blocks are specs?
05:08 [TomCarrol]
Zula: What process are we going to use in completing this document????
05:08 [Heather]
pionted to by the concepts?
05:09 [TomCarrol]
Chris: the process will be; the editors will propose and then request input and revision from the group, in increasing levels of detail.
05:10 [TomCarrol]
Chris: there should be frequent snap shots.
05:10 [Heather]
Can group members propose things to the editors?
05:10 [dougb]
Heather, we're not ignoring your comments. We are however discussing things at a significantly higher level at the moment. I'm sure we'll come back to the details / diagrams soon.
05:11 [TomCarrol]
Zula: What role do the CSF play within the arch doc?
05:11 [TomCarrol]
Zula: particulary the models (ie security model)
05:13 [TomCarrol]
DaveO: Security is every where that is why the security Bar is represented as it is in the conceptual model(1.1)
05:15 [jdmunter]
wrt to process, I propose that we are all contributors. Along with commenting on content already there, I should be able to send my initial suggestions to the editors for inclusion also.
05:16 [Daniel]
I agree Joel
05:16 [TomCarrol]
We are now refering to the outline and how various topics breakout.
05:16 [Heather]
me too
05:16 [chris]
q+ joe jeff
05:16 [chris]
q+ joe jeff
05:17 [chris]
ack joe
05:17 [TomCarrol]
Joe: Conceptual diagram how would you like feedback the list???
05:18 [TomCarrol]
Chris: in general no the more specific issues should go to the list.
05:18 [chris]
joe: security should extend to transport
05:18 [TomCarrol]
Joe: would like to see security extend into the transport.
05:19 [chris]
q+ zulah davidb
05:19 [TomCarrol]
DaveO: What do you think of the Doc???
05:19 [Heather]
which part are we reviewing specifically right now
05:19 [David]
Heather, reviewing the outline and structure...
05:21 [TomCarrol]
Chris: Specifics go to the list, the goal now is to get agreement on the generalities.
05:21 [Heather]
in ibm we broke the wire stack into 3 'generic' topics: transport, packaging, extensions....
05:21 [Heather]
then we discuss soap in packaging
05:21 [Heather]
and headers in extensions
05:22 [Heather]
would this sort of organization help here?
05:23 [chris]
q+ allen heather
05:24 [TomCarrol]
JeffM: where is the web service?
05:25 [TomCarrol]
JeffM: How do these relate to the web Service?
05:25 [TomCarrol]
JeffM: How do the thing in the document relate to the web service?
05:26 [TomCarrol]
DaveO: Lets drill down on jeffMs point.
05:27 [TomCarrol]
JeffM: how much work is this group going to verses say security wg???
05:27 [TomCarrol]
Zula: Where the life cycle and conceptual model about services?
05:28 [chris]
ack zulah
05:28 [chris]
ack davidb
05:28 [chris]
ack jeff
05:28 [soliton]
can I be on the queue?
05:28 [chris]
ack allen
05:29 [soliton]
queue+
05:29 [jdmunter]
q+
05:29 [chris]
q+ daniel
05:29 [TomCarrol]
AllenBr: Security reachs through the depths as does reliability.
05:29 [jdmunter]
q-
05:29 [chris]
ack heather
05:30 [Heather]
see my earlier remarks on organizing around generic concepts in the wire stack
05:30 [TomCarrol]
AllenBr: anything that has end to end could be vertical
05:30 [chris]
ack soliton
05:30 [Heather]
transport/packaging/extensions...
05:30 [dbooth]
heather, would you mind putting your comments directly into this IRC channel?
05:30 [Heather]
I am, aren't I?
05:31 [dbooth]
oh, sorry, I see it was earlier.
05:31 [chris]
tomc relayed your previously posted comments
05:31 [chris]
ack daniel
05:31 [TomCarrol]
Soliton: The doc should have the high level concerns and there relationships
05:33 [TomCarrol]
Daniel: the "ilities" are all vertical and are broke out by domain and there are a number of them
05:33 [soliton]
hi, Daniel, can you also put my top level concerns on the flip chart?
05:33 [TomCarrol]
DaveB: the doc is a good start but the diagram does not work for me.
05:34 [dbooth]
s/does not work/does not have any meaning/
05:35 [soliton]
agree with DaveB
05:37 [TomCarrol]
chris: What are the characteristics of a web service?
05:37 [TomCarrol]
Daniel: What is the meta model??
05:38 [TomCarrol]
Mike: XMl/semantic web is the whole box (conceptual model)/?
05:41 [TomCarrol]
Mike: We might want to group the ilities together?
05:41 [dbooth]
q+
05:44 [TomCarrol]
Daniel: why does the doc talk about the semantic web?
05:44 [Daniel]
Daniel notes in passing that the diagram needs to have 'semantic web' removed. this is road-recumbent issue
05:44 [TomCarrol]
Chris: that question can be discussed when the author is present.
05:45 [TomCarrol]
DaveO: what are the features that support the creation of a web service?
05:45 [soliton]
top level concerns: Interoperability,Reliability, Management, Web-friendly, Security
05:46 [soliton]
Scalability and Extensibility
05:46 [Daniel]
+extensibility
05:46 [Daniel]
+scalability
05:46 [Daniel]
LOL Zakim is an electronic moron
05:50 [soliton]
from the TLCs, we can see the merge of two important components: Management and security
05:52 [TomCarrol]
davidB: What is the universe? what is this thing? where does this thing fit in the universe?
05:52 [GlenD]
Just in time for the easy questions, Paul!
05:53 [soliton]
the universe starts from the big bang.
05:53 [Heather]
now we are boiling the universe... thats even worse than the ocean
05:53 [Daniel]
ROFL Heather
05:53 [soliton]
what is LOL?
05:53 [Heather]
laugh out loud
05:53 [dougb]
laughing out loud
05:54 [TomCarrol]
Glen: Are we trying to answer the distributed computing question?
05:54 [dbooth]
Soliton, see: http://searchwebmanagement.techtarget.com/sDefinition/0,,sid27_gci211776,00.html
05:55 [TomCarrol]
Daniel: Web services are a sub set of Dist. Computing.
05:56 [Heather]
we must certainly answer a lot of questions related to distributed computing at any rate....
05:56 [soliton]
THX, DB
05:57 [jdmunter]
I add a "+1" to heather's latest comment
06:00 [Heather]
tom.. whats going on...
06:01 [TomCarrol]
The discussion is revolving around the relationship between the web and web services
06:02 [TomCarrol]
specificly the scope the web services context
06:02 [TomCarrol]
Glen is taking about node interacting using infosets
06:03 [TomCarrol]
Heather: Does that help?
06:04 [Heather]
yes (watching a silent irc is hard at 6am :-) )
06:04 [TomCarrol]
Sorry, unskilled scribe
06:05 [Daniel]
Martin says we should levelrage Corba-like ideas for WS as well as web ideas
06:05 [Heather]
what is the gist of glen's point? that web services are nodes interacting using infosets? or that the web is?
06:05 [Daniel]
leverage even
06:05 [Heather]
i agree w/ martin...
06:05 [Daniel]
so do I...seems everyone does
06:08 [TomCarrol]
Daniel: Web services is a layer on the web stack
06:09 [Heather]
we should allow for the chance that web services will modify/expand existing layers of the web stack
06:09 [dougb]
Heather, the web versus web services discussion continues. Possibilities such as 'web services are a subset of the web', 'bringing COM/CORBA to the web', 'adding useful concepts from COM/CORBA to the web',...
06:09 [Heather]
we are adding new functionality to the web... it is possible that it won't cleanly layer
06:10 [TomCarrol]
JeffM: the problem space faced by Main frame application domain 20 years ago is similar to the one we face now.
06:10 [Daniel]
heather, that is just what I said :)
06:11 [Heather]
dougb... add web services are a superset of the web t the mix
06:13 [dougb]
another idea suggested in the room: looking at mistakes / problems from earlier attempts to solve distributed computing and attempting to avoid same
06:13 [Daniel]
dit's clear that COM's problem was/is that it is proprietary
06:14 [Daniel]
CORBA's problem was that it added too much complexity
06:14 [Daniel]
and still didn't work right
06:15 [Daniel]
we need to avoid either overengineering the environment or making it so complex it is overexpensive
06:15 [Heather]
those could be the morals of the distributed computing fables.... but I'm sure there are MANY other lessons learned from our collective experience with distribted systems
06:16 [Daniel]
true heather...but I only have a single line interface to describe them! :)
06:16 [Daniel]
*the margins of IRC are too small to contain my solutions!*
06:16 [omh]
Hmm - CORBA was not really complex - major issues were the connected nature of the interactions and the requirement for client libraries...
06:17 [soliton]
loose coupling, loose coupling and loose coupling
06:17 [Heather]
avoiding overengineering is a noble goal
06:17 [soliton]
perfer messaging over RPC
06:17 [Heather]
catching the 80% first with simple approaches
06:17 [hugo]
q+ roger martin david
06:17 [Daniel]
q+ roger, martin, davidb
06:18 [jeffm]
messaging and RPC are equivalent
06:18 [hugo]
q= Dbooth, Roger, Martin, David
06:18 [dougb]
we've got a sheet containing a few other lessons: general issue described is 'end to end stuff addressed up front' with security, versioning and reliability as subtopics.
06:18 [jeffm]
the difference is in the failure modes and when failure occurs
06:18 [Daniel]
Jeff: no, RPC is just one kind of messaging, a subset
06:18 [dougb]
solitron's point about loose (versus tight) coupling also appears
06:18 [David]
DaveO Comment: architecture groups often fail because of not solving immediate problems...
06:18 [Daniel]
not equivalent
06:18 [TomCarrol]
DaveO: Past problem.. Trying to consider everything up front.
06:18 [soliton]
agree with Daniel
06:19 [Daniel]
DaveO is talking about the "Big Design Up Front" problem
06:19 [Zakim]
hugo, if you meant to query the queue, please say 'q?'; if you meant to replace the queue, please say 'queue= ...'
06:19 [Daniel]
iteration addresses this
06:19 [soliton]
ok, iterational design
06:19 [jeffm]
I can sort of agree. Except I *think* I can describe/implement everything a "messaging system" via an RPC system. And vice versa.
06:19 [Daniel]
in an unknown problem domain, BDUF will not work
06:20 [soliton]
that is true jeffm, you can alwasy do anything with 0 and 1
06:20 [jeffm]
ok, ok - turing machines rule!
06:20 [TomCarrol]
Martin: the real problem is ensuring all the security hooks are in each level
06:21 [soliton]
but the point here is that an extensible messaging is better than strict RPC
06:21 [MChapman]
do all of us on here pass the turing test:-)
06:21 [dougb]
does Zakim?
06:21 [Daniel]
not me, everyone thinks I am a col-dblooded architectural machine! :)
06:21 [Heather]
but there are some messaging patterns that are hard for rpc to deal with...
06:22 [soliton]
from other people's point of view, we all sound like machines
06:22 [Heather]
mutliple output response messages...
06:22 [dbooth]
zakim, do you pass the turing test?
06:22 [Zakim]
I don't understand your question, dbooth.
06:22 [TomCarrol]
DaveO: Are we going to run the group a by taking the union of the group or by taking the intersection of the group will all for more meaningfull work
06:22 [soliton]
hi, zakim, do you have feeling?
06:23 [soliton]
apperantly, zakim fails the test.
06:23 [jeffm]
With "extensible messaging" (isn't all messaging "extensible") there are really only 2 operations (aka RPCs) get(bag of bytes) and send(bag of bytes)
06:23 [Heather]
apparently it does, you have insulted it and its not talking to you
06:23 [dougb]
zakim, do you have feeling?
06:23 [Zakim]
I don't understand your question, dougb.
06:23 [jeffm]
The system is designed so that essentially get and send never fail.
06:24 [TomCarrol]
DaveO: Are we going to run the group a by taking the union of the group or by taking the intersection of the group will allow for more meaningfull work
06:24 [Daniel]
lunchtime...saved by the bell
06:24 [jeffm]
Instead the failure occurs when you try to interpret a bag of bytes that you've never seen before and have no idea what to do with it
07:56 [hugo]
Meeting resumed
07:57 [Roger]
dbooth, take a look at http://www.opencyc.org
07:58 [dbooth]
Roger, here is the TAP site, the project at Stanford that has the demo of a semantic search: http://search.alpiri.com/wsi-bin/flek.wsp/tap?term=boston&method=search&locate=1&btnG=Search
07:58 [TomCarrol]
Review of the Glossary
07:59 [Heather]
ok I'm ready
07:59 [Heather]
anyone else out there remote from the F2F?
08:00 [zulah]
Tom, I can't take notes due to poor connection over here. Will fix and then take over
08:01 [Eric]
I'm remote
08:01 [mchampion]
I'm remote
08:01 [Eric]
I've dialed into the concall number but it says I'm the only one on it
08:01 [quit]
tom, I can take over with notes. WOuld you like this?
08:02 [Heather]
the phone in the room does not work
08:02 [Heather]
as far as i know there isn't any phone support... just IRC
08:02 [TomCarrol]
AllenBr: The glossary only contains the lexicon and as the document goes foward what structure should the glossary have? where do we draw the boundries of the document? ihow are the ilities incorporated into the glossary?
08:02 [Heather]
so we are at their mercy for details...
08:02 [Dave]
zakim, Dave is DaveO
08:02 [Zakim]
sorry, Dave, I do not recognize a party named 'Dave'
08:02 [Dave]
zakim, Dave is known as DaveO
08:02 [Zakim]
I don't understand 'Dave is known as DaveO', Dave. Try /msg Zakim help
08:03 [Dave]
zakim help
08:03 [TomCarrol]
Daniel: are we going to share this glosary with the rest of the web services activity?
08:03 [Dave]
sigh
08:04 [dbooth]
zakim, help
08:04 [Zakim]
Please refer to http://www.w3.org/2001/12/zakim-irc-bot for more detailed help.
08:04 [Zakim]
Some of the commands I know are:
08:04 [Zakim]
xxx is yyy - establish yyy as the name of unknown party xxx
08:04 [Zakim]
if yyy is 'me' or 'I', your nick is substituted
08:04 [Zakim]
xxx may be yyy - establish yyy as possibly the name of unknown party xxx
08:04 [Zakim]
I am xxx - establish your nick as the name of unknown party xxx
08:04 [Zakim]
xxx holds yyy [, zzz ...] - establish xxx as a group name and yyy, etc. as participants within that group
08:04 [Zakim]
xxx also holds yyy - add yyy to the list of participants in group xxx
08:04 [Zakim]
who's here? - lists the participants on the phone
08:04 [Zakim]
who's muted? - lists the participants who are muted
08:04 [Zakim]
mute xxx - mutes party xxx (such that 60# will not work)
08:04 [Zakim]
unmute xxx - reverses the effect of "mute" and of 61#
08:04 [Zakim]
is xxx here? - reports whether a party named like xxx is present
08:04 [Zakim]
list conferences - reports the active conferences
08:04 [Zakim]
this is xxx - associates this channel with conference xxx
08:04 [Zakim]
excuse us - disconnects from the irc channel
08:04 [Zakim]
I last learned something new on $Date: 2002/06/14 12:43:57 $
08:04 [Dave]
zakim, I am DaveO
08:04 [Zakim]
sorry, Dave, I do not see a party named 'DaveO'
08:04 [hugo]
Dave, try /nick DaveO
08:05 [TomCarrol]
Chris: there is no cononical way to organize the glossary?
08:05 [mchampion]
Open the pod bay door, Zakim ... I can't do that Dave, you're planning to unplug me :-)
08:05 [DaveO]
wahoo
08:05 [hugo]
Zakim, only knows about people connected to the phone bridge
08:05 [Zakim]
I don't understand 'only knows about people connected to the phone bridge', hugo. Try /msg Zakim help
08:06 [DaveO]
*double sigh*
08:06 [scribe]
Chris: how self contained is this document (what is the scope of the glossary).
08:10 [zulah]
Tom, would you like me to take over scribing now? I seem to have my connect problems fixed.
08:11 [scribe]
What do we do with terms that have multiple definitions?
08:12 [scribe]
Allen: Each definition must be able to reference the author.
08:13 [scribe]
Joe: Once the term is in the glossary. the term would then be reserved.
08:14 [Heather]
words in dictionaries have multiple meanings in differnet context's, wouldn't that be true for glossarys as well?
08:14 [scribe]
Joel: The glossary should have as much detail to clearly identify the definition of the term given its context.
08:15 [scribe]
Chris: a singular glossary provides single reference point for the associated working groups.
08:16 [scribe]
Roger: is the keeping one glossary feasible? given the differences between the working groups.
08:16 [Heather]
i would think it would be feasible and NECESSARY within the web services activity
08:17 [scribe]
DavidB: Multiple definitions are possible and may be necesary. It the nmultiple def. case the context must be defined.
08:17 [Heather]
agreed
08:18 [chris]
source, context, owner/authorship, multiple definitions allowed, but not preferred
08:18 [Roger]
Heather - look at "Service" in the existing glossary.
08:18 [dbooth]
Another term for "context" is "field of use"
08:18 [Heather]
i'm looking at Service...
08:18 [Heather]
it says 'collection of endpoints'
08:18 [Roger]
There are two.
08:19 [scribe]
Chris: comments on the glossary should go to the list along with additions.
08:19 [Heather]
it would help if this were in alphabetical order
08:19 [scribe]
AllenBr: Please provide sources with your additions.
08:20 [Roger]
Stylesheets are envisaged yielding different organizations.
08:20 [dbooth]
Heather, Allen said he can generate aphabetical in the next pass.
08:20 [Heather]
so there are 3 definitions for service... 2 in that one and 1 on the first page
08:21 [Heather]
thankyou allen
08:22 [Roger]
I just thought that they were amazingly different.
08:22 [scribe]
We are now talking about WS security working group
08:22 [Heather]
how are we reviewing the glossary? Term by term?
08:23 [scribe]
chris: How big is the WS security WG? what do we need to see in the group?
08:23 [scribe]
Joe: Lets start with the requirements that we already have.
08:24 [scribe]
Glen: We should be framing the security problem.
08:24 [zulah]
I am scribe
08:24 [zulah]
zakim, I am scribe
08:24 [Zakim]
sorry, zulah, I do not see a party named 'scribe'
08:25 [scribe]
Chris: the question is, do we see a ws working group as the working group that solves world hunger for mankind or a specific targeted focused WG?
08:25 [DaveO]
q+
08:25 [scribe]
Chris: somewhere between the two extremes?
08:25 [Daniel]
q+ daniel
08:25 [jeffm]
q+ jeffm
08:25 [Roger]
q+
08:25 [Heather]
q+ heather
08:26 [scribe]
DaveO: I made a pitch in email about what a rough starting set of requirements would be.
08:26 [joe]
q+
08:26 [scribe]
DaveO: Let's have a security group talk about a framework, details of a trust model, task it with specific technological soluntions to authentication, integrity
08:26 [scribe]
DaveO: encryption
08:27 [scribe]
DaveO: knowing that there are others (e.g., Authorization, non repudiation),
08:27 [scribe]
DaveO: This is a starting point pitch
08:27 [mchapman]
q+
08:27 [scribe]
Daniel: Just in terms of the scope the ideas are good. We should confine the cope to not include world hunger. Confine it to security problems specific to WS architecture.
08:28 [scribe]
Daniel: Confine the scope as much as we can. Take advantage of others work
08:28 [scribe]
Chris: Just as a baseline, the WS activity is not charter to go beyond the bounds of WS
08:28 [scribe]
Chris: So you are saying not world hunger even for web services?
08:28 [scribe]
Daniel: yes
08:29 [tomCarrol]
q+
08:29 [scribe]
JeffM: We have requirements, we should pick a subset of generally useful requirements (relevant subset)
08:29 [scribe]
JeffM: pick pieces and fill in terra incognito. Whatever set of requirements that we choose it must address and end to end case.
08:30 [scribe]
JeffM: it doesn't have to be all cases but one in depth
08:30 [scribe]
Roger: question? is there another axis? On one extremem you make up new languages and syntaxes, on the other there are existing solns. with recommednations on how to put them together.
08:30 [scribe]
Roger: Which is our job?
08:30 [DaveO]
q+
08:31 [scribe]
Chris: In making our recommendation we have the option to propose putting pieces together or additions, changes
08:31 [scribe]
Roger: No, will this group in the process of creating the architecture specify which pieces to make security work (specifically).
08:31 [scribe]
Chris: we cannot dictate soln. We can provide baseline.
08:32 [scribe]
Roger: No, will there be components of security solutions in the architecture?
08:32 [Daniel]
q+ Allen
08:33 [scribe]
Roger: DaveO: Say we decide that we should have auser name/password for authentication then we will say this in architecture and charter.
08:33 [scribe]
DaveO: If a WG tells us that we a re wrong, we will fix it in the document.
08:33 [scribe]
Roger: If I am trying to implement WS and I use the arch document, will there be any answers in there for how I implement security?
08:34 [scribe]
Joe: General guidelines but more specific will come from security group.
08:34 [scribe]
Glen: In other words, not really just like we don't say specific things about implementing transactions.
08:34 [scribe]
Chris: But we can provide starting points (e.g., XML digital signatures exists, use it).
08:35 [scribe]
DaveO: What I think is being asked is what is the authority of the arch group in binding things? So if we say use Dig sign. is this authorotative.
08:35 [scribe]
Chris: At best we can influence.
08:35 [Daniel]
Heather you're up
08:36 [Heather]
k
08:36 [hugo]
I think that it depends on how our recommendations are phrased
08:36 [Heather]
I'm a little nervous about giving a new security wg carte blanche to develop a new security framework
08:36 [Heather]
it smacks of architecture groups having baby architecture groups
08:37 [Heather]
should we provide a 'broad framework' as part of our work
08:37 [Heather]
leaving them to figure out how to implement those components w/ existing specs and new specs?
08:37 [scribe]
Joe: Would like to help move the process along by returning to the six items from the requirements doc. 1) authentication, integrity, encryption, 2) authorization, 3) NR, 4) accessibility (DOS), 5) rest of the stuff in CSF and requirements. He suggests that this is the prioritization.
08:37 [Heather]
ok.. thats it
08:38 [scribe]
DaveO: I agree
08:38 [tomCarrol]
+1 on the framework
08:39 [Roger]
Heather, what did you mean by
08:39 [jeffm]
heather, you're stuff is up on the board
08:39 [scribe]
DaveO: I think that heather is getting at the fact that the framework has to have some detail to provide constraints. We are not writing a blank check.
08:39 [Roger]
"OK, that's it".
08:39 [jeffm]
s/you're/your
08:39 [chris]
q?
08:39 [chris]
ack heather, joe
08:39 [Heather]
by 'ok thats it' i meant </Heather>
08:39 [scribe]
Joe: We need to supply detail? Yes because this lends credibility>
08:39 [Heather]
or end of tirade
08:39 [Roger]
Thanx.
08:40 [scribe]
TomC: I was wondering if when we send a WG off to work, are we also going to privide a well defined process for making changes back into the architecture
08:40 [tomCarrol]
Mchapman your up
08:41 [Daniel]
q+
08:41 [scribe]
Summary: We own framework, set context, but offer a process for feedback into changing the architecture.
08:41 [scribe]
Martin: Question is, when we charter the security group, do we pre-phase them or only charter them for a specific phase?
08:42 [tomCarrol]
q- TomCarrol
08:42 [scribe]
Daniel: this is how SOAP works today.
08:42 [scribe]
Summary: One working group with phasing (or re-chartering for each phase).
08:42 [scribe]
Martin: So what we should be debating is phase 1
08:42 [chris]
ack tomcarrol, mchapman
08:43 [Heather]
+1 for rechartering for phases
08:43 [dougb]
q+
08:43 [scribe]
OIsio: Point of process, needs to be some life after wreck process so that there is some formal manner to make changes.
08:43 [chris]
ack daveo
08:44 [scribe]
DaveO: How convenient. I asked TBL how ammenable the director is to us rechartering in mid flight. HE said go for it, no blank check but time to market is important. I interpret this as a broad endorsment to get this stuff out there.
08:45 [chris]
ack allen
08:45 [scribe]
DaveO:No change to the process document. Its the willingness of the AC.
08:45 [joe]
q+
08:46 [scribe]
DaveO: Process does not mean that we have to do things slowly
08:46 [scribe]
AllanB: There is another kind of structuering that comes from the overall architecture. YOu can imagine doing security at the messaging level. You can imagine role security at the orchestration level. These offer a basis for constraining what kinds of things are considered in each phase.
08:47 [scribe]
AllenB: So phase 1 could be messaging security.
08:47 [jeffm]
q+
08:47 [chris]
ack daniel
08:47 [scribe]
Joe: Good point. For his priorities, these can be done in multiple ways: messaging, etc.
08:48 [Heather]
define messaging security for me...
08:48 [GlenD]
security on a per-message basis
08:48 [scribe]
AllenB: So there is more than one dimension to this and we can look at the matrix and determine what we want to fill in.
08:48 [GlenD]
as opposed to securing a channel (ssl)
08:49 [chris]
ack dougb
08:49 [Heather]
could also match phase.... define their phase one in corresspondence with our phase one
08:49 [mchapman]
q+
08:49 [GlenD]
phase-locked groups
08:49 [scribe]
Daniel: following martins earlier suggestion that we iterate on phases. We should pick the highest priority probelms and ask the security group to address them in the first pass (and so on). Dave has identified the high priority items. We should phase as probelm in priority (as opposed to as solutnions).
08:50 [DaveO]
I think Allen proposed that there is another aspect of security, that there are the styles of security: message, connection, role based (e.g. for orchestration)
08:50 [scribe]
DougB: Have the security WG recognize the boxes that we provide them mapped to existing standards. Is that our job or some WGs job?
08:50 [scribe]
DaveO: Great.
08:51 [scribe]
DougB: Does the security group recognize existing standards and fill them intoboxes or does the arch team do this (clarifiation)
08:51 [chris]
q?
08:51 [scribe]
DaveO: this came up on the tag. They felt that it was disirable for the arch group to provide details in fleshing out the scope of the box.
08:52 [scribe]
Chris: Again, all we can do is hope to influence.
08:52 [scribe]
Joe: Are we going to do the threat model in WSA or by the new WG?
08:53 [dougb]
higher level question Joe and I are getting at: Are we writing the security portions of our architecture document (referencing existing standards and the threat model) or is the Security WG doing that?
08:54 [scribe]
Chris: The order of the requirements document did not imply that we had prioritized.
08:54 [Heather]
if we are going to lay out the high level framework and boxes, we may have do some level of threat model
08:54 [chris]
ack joe
08:54 [chris]
ack jeffm
08:55 [scribe]
JeffM: As part of this discussion, will we consider the end to end case. Pick a couple of scenarios as examples and do the analysys so that we scope this by end-to-end for specific technologies as opposed to just stating messaging security.
08:55 [scribe]
Chris: Did you mean use cases?
08:55 [scribe]
JeffM: yes, the high level ones.
08:55 [DaveO]
lol
08:56 [chris]
ack mchapman
08:56 [Daniel]
Dave loved that :)O
08:56 [Heather]
:-)
08:56 [scribe]
martin: even though we work at the same company ;) I want to really support this. Working solutions are importnat...
08:57 [scribe]
Chris: in our current scenarios we describe stack type stuff. Are you going vertical or horizontal?
08:57 [Daniel]
Dave and I used to be friends! that was back in XML-CORE days tho
08:57 [Daniel]
LOL
08:57 [scribe]
Martin: All the way down and then back up again.
08:58 [scribe]
Jeffm: When some people think end-to-end they think multiple hops, routing, etc. and that's not what I mean. What I mean is that whatever use case we pick, we do it end-to-end.
08:58 [scribe]
Chris: Do we care about multiple hops or is this phase 2?
08:59 [scribe]
Martin: What is multiple hopS?
08:59 [DaveO]
It was the large trout aspect, not so much the recipient ;-). I do prefer salmon, but I'm from the west coast of Canada...
08:59 [DaveO]
q+
08:59 [scribe]
Martin: My point is that I want to see a full working solution between client and server as opposed to chunks of security that don't fit together.
08:59 [Heather]
security info propogation is going to be an immediate problem...
08:59 [Heather]
+1 to martin
09:00 [scribe]
DaveO: suggestion to deal with this is to do a use case and soe usage scenarios that treat particular aspects of the end-to-end.
09:01 [dougb]
+1 to DaveO, subject seems to depend upon use case chosen to frame security WG / also appreciate Martin's extreme programming (extreme architecture?), continuously working process.
09:02 [maa-in]
+ extreme UML :-)
09:02 [Daniel]
it's nothing to do with extreme anything, it's basic UP iteration
09:02 [scribe]
Chris: Here's what I hear: Not boiling the ocean. Targeted. We have suggestions for different approaches or synergisitc approaches for how we might determine prioritization. I sense a stronglevel of rough agreement as to end-to-end solutions. We have a notion of phases. that we start something off and it evolves. We may need overlap of working groups due to market forces.
09:03 [tomCarrol]
To be complete would we not need a complete set of use case that describe a web service and use those for the context of the security WG??
09:03 [scribe]
chris: break at 3:30. Afternoon for use cases. Right now, could we given this ... pick a prioritized subset of joes and allens suggestions for a phase 1 charter? Can we do that now?
09:03 [scribe]
DaveO: We have atleast one use case already - Hugo wrote it. Why don't we look at it and work the process?
09:04 [scribe]
martin: Let's narrow the use case for securiyt aspects.
09:05 [scribe]
Chris: We have Joe's onion, let's focus on the core of the onion. and thinking about phase 1 only.
09:05 [tomCarrol]
Would we want to narrow the use case or would that be delegated to the security WG
09:05 [scribe]
Chris: How do we want to break up?
09:05 [scribe]
Daniel: want to tackle high priority stuff.
09:06 [scribe]
Roger: You could also (in parallel?) tackle the EDI use case
09:06 [scribe]
Chris: Of #1 (auth, integrity, confidentiality), what would go into a phase 2?
09:06 [scribe]
Joe: It is useless to do integrity and confidentiality alone.
09:07 [scribe]
Chris: So is #1 too broad, do we want to further narrow it?
09:07 [Daniel]
q+
09:07 [DaveO]
q-
09:08 [scribe]
Daniel: Maybe there is some low hanging fruit here because a great deal of work has been done on some of this (e.g., auth and authorization).
09:09 [chris]
ack daniel
09:09 [scribe]
DaveO: The solutions and how they deal with XML and the web have not been around. We are just starting to see first proposals on some of these.
09:10 [scribe]
Joe: More critical problem for XML encryption is key districution. All we have talked about is message level security but channel level security has been around and that's low hanging fruit.
09:11 [scribe]
Daniel: I would rather talk about problems that solutions.
09:11 [scribe]
DaveO: but solutions introduce problems. So which of the new problems do we wish to tackle.
09:12 [scribe]
DaveO: the process model one is really interesting. This has come up with XML. Can or should an author be able to indicate the steps a recipient should do with a particular message...
09:12 [scribe]
DaveO: default processing model, explicit one... clearly in WS we have the same issue. How does a reciever specify the processing model that it will publish to the world.
09:13 [Daniel]
do we think we want to adopt/s[pecify a particular processing model?
09:13 [scribe]
DaveO: e.g., i will do integrity checks after confidentiality. So sender mus invert this. Security clearly introduces a processing model. We should stay away from tackling this right up front ("there be dragons").
09:14 [scribe]
Joe: true for message based but channel based already solved.
09:14 [scribe]
DaveO: Missed point, the order that you do things is either the canonical order or you have to publish processing orer.
09:15 [scribe]
Chris: Okay, how are we going to divide up this work?
09:15 [scribe]
DaveO: suggest taking hugo's use case and then breaking it up around 3 scenarios (auth, integrity, and confidentiality.
09:15 [scribe]
Chris: Hugo, do you want to walk us through the use case?
09:16 [hugo]
Travel agent use case: http://www.w3.org/2002/06/ws-example.html
09:17 [scribe]
Chris: 15- 20 break...
09:18 [Heather]
whew!
09:44 [scribe]
Hugo: Will present travel agent use case.
09:44 [scribe]
Hugo: There is a customer that wants to use travel agents service to book vacation package. Travel agent service will use hotel and irline, credit card co. web services.
09:45 [scribe]
Hugo: I divided the use case into 4 usage scenarios. which are basically the steps that the whole thing will go through to book the vacation package.
09:45 [scribe]
Hugo: Of course I made simplifications - security is not considered at all.
09:45 [scribe]
Hugo: If you want to go step by step, its complicated.
09:46 [scribe]
Roger: Wants to quibble. In talking to people who wanted to use web services. When dealing with credit card service, you are dealing with something that is already firmly in place and is not going to change.
09:46 [scribe]
Martin: So there are definitely actors, either people or external systems.
09:46 [scribe]
Roger: My point is that it is unlikely that these will operate as ws in the new future.
09:47 [scribe]
DaveO: Point is what things would look like using ws technology.
09:47 [scribe]
Roger: make this point because if you are prioritizing, some legs of a use case are unlikely to change in the near future so they are low priority.
09:48 [scribe]
Hugo: Even though parts of the use case won't be used for a very long time, they are still illustrative.
09:49 [scribe]
Hugo: User requests travel for some travel dates. Hugo has a complex diagram for this in his document. The customer provide the travel agent some travel dates and the service discovers airlines and then gets descriptions of how to interact with those. So the ontology thing means that the descriptions made sense to everyone (magic).
09:50 [scribe]
Hugo: So queries are made, results are returned, merged and sent to the customer. The ustomer chooses and the travel agent service books the flight.
09:50 [scribe]
Hugo: Then moves to the hotel reservation (which works much like the airline situation).
09:52 [scribe]
Hugo: From here, (purple stuff), when consumer boks hotel, the trravel service gives the cutsomer payment options. The travel agent service interfaces with the credit company to get a guarantee of payment.
09:54 [scribe]
Hugo: At this point (Next diagram), the travel company has confirmation and then books the hotel with the credit information. Travel agent company creates vacation package and bill.
09:55 [scribe]
Hugo: Security wise, there is confidentiality, credit card company stuff (certificates and guarantee) - identity, encryption for credit card number.
09:55 [scribe]
Joe: Integrity cwould come into play since you don't want someone to change your data (london to paris) in transit. Authorization as well.
09:56 [scribe]
Roger: We havea system in our company that works exactly like this today. If we want to make this realistic, we could determine exactly how these work. There are sll sorts of elaboration that happen in reality. For example people doing travel on behalf of another person.
09:57 [scribe]
DaveO: this is a great start. There are issues of communication, QOS, Orchestration, etc. I love the travel service kind of use case.
09:57 [jeffm]
+1
09:57 [scribe]
Joe: You can build this up. So you could add NR, etc.
09:57 [jeffm]
jeffm: +1
09:57 [scribe]
Martin: So, what's the end-toend minimal thing that we need to do to make this secure. The customer looks up something and books, how do we make this minimally secure.
09:58 [scribe]
JeffM: Instead of taking the whole thing as and end-toend we could take "little t" transactions and deal with each.
09:59 [scribe]
Jeffm: security group might be chartered for little enchilada as apposed to the whoole thing (presumably staging).
09:59 [scribe]
Roger: The odering has to do with what gets done first and what is needed first. There are portions of this that are cast in stone (the real world). Some of the example doesn't need to be dealt with in the near future.
10:00 [scribe]
TomC: I tend to agree with the Oracle crowd. At a certain level of abstraction, in order to identify the meaningfl parts for a security WG we have to get to lower level parts of the use case.
10:01 [scribe]
Jeffm: explicitly not trying to determine which things have to be done first.
10:02 [jeffm]
To clarify: I'm suggesting that what is done first is the end-to-end security for the entire steel thread(s).
10:02 [scribe]
Chris: So if I want to pull this apart: How do we know that its hugo, integrity, confidentiality,
10:03 [tomCarrol]
q+
10:03 [maa-in]
q+
10:03 [Roger]
q+
10:03 [scribe]
Thanks Jeff ;)
10:03 [chris]
ack tom
10:04 [chris]
q?
10:04 [DaveO]
q+
10:04 [jeffm]
Clarify(cont): The prioritzation task is picking the "right set" of steel threads to scope the first phase.
10:05 [scribe]
Tom: familiar with the eprocirement scenario. You have to look at the small use cases one at a time. That is you don't get to pull the security areas out one at a time (integrity, authorization,etc.). Must find pertinent use cases in order to define a domain.
10:05 [scribe]
martin: You didn't mention authorization or permissions.
10:05 [scribe]
Chris: They are all there.
10:07 [scribe]
Chris: Key point is getting to the point that roger was making, we could do all of the security things (1-5) or...
10:07 [Martin]
q+
10:07 [tomCarrol]
q+
10:08 [scribe]
CHris: we could do them all, we can parallelize based on specific aspects. In terms of encryption where you have only a credit card number, did you really need XML encryption?
10:08 [scribe]
Joe: You could do this two ways (SSL is option).
10:09 [scribe]
Chris: Integrity is fundamental (due to multiple), authentication is fundamental, and confidentiality. can we focus on just these three.
10:10 [chris]
ack maa
10:10 [scribe]
Martin: The scenario has to touch on all of them otherwise you will miss something. The steel thread must address all points.
10:10 [hugo]
q+
10:10 [scribe]
Joe: This is what he was refering earlyier to the minimal set.
10:10 [chris]
ack roger
10:11 [scribe]
Roger: Does not like the use case because he doesn't see the business driver.
10:11 [scribe]
Roger: sees apples and oranges of existing systems of different types. He really wants to show the EDI use case because it is different and the business drivers are clearly displayed.
10:11 [joe]
q+
10:11 [chris]
ack daveo
10:13 [scribe]
DaveO: In terms of the break up, another way to tease out requirements is to look at what is going on in terms of the channel (e.g., email). So this type of variability might be another way to go in terms of structuring this.
10:13 [chris]
ack martin
10:13 [scribe]
Martin: This use case represents 80% of what the web is used for.
10:13 [chris]
q+ jeffm
10:13 [chris]
ack tom
10:15 [scribe]
TomC: On rogers point, views the use case as an abstraction (that is that you can abstract out the business portion - the travel agent). The trust model varies based on what side of the travel agent service I belong to. I have trust with suppliers that is completely different that with the general public. So security may be completely different and require completely different technical implementations.
10:15 [chris]
ack hugo
10:15 [scribe]
Hugo: Martin said that we should have a look at everything rather than limiting to the 3. If we have a look at everything, everything will be large (e.g., privacy).
10:16 [chris]
ack joe
10:17 [scribe]
Joe: Responds to Roger's use case comment. Can cover all of the security aspects with buying a book from Amazon.com. The EID use case could be different because it is intranet.
10:17 [scribe]
Roger: Not intranet, its an internet example!
10:17 [GlenD]
q+
10:17 [DaveO]
q+
10:18 [chris]
ack jeffm
10:18 [scribe]
Glend: two tiny comments. Regardless of whether the use case is connected to reality, it is still a useful scenario. Can we ask Roger to do a short description of his use case.
10:19 [chris]
ack glend
10:19 [chris]
q close
10:19 [scribe]
Roger:EDI like interacteraction betweek big and small company to to purchase widgets it is interesting because small company has different capabilityies and security aspects and guts happens when things go wrong.
10:20 [dbooth]
q?
10:20 [chris]
ack daveo
10:20 [scribe]
Mike: How does this use case differ from the travel agent?
10:20 [chris]
ignore q
10:20 [scribe]
Roger: Assumption here is that you have trusted partners.
10:20 [Martin]
q martin
10:20 [Martin]
q+
10:20 [chris]
zakim, ignore q
10:21 [Zakim]
I don't understand 'ignore q', chris. Try /msg Zakim help
10:21 [chris]
zakim, ignore queue
10:21 [Zakim]
ok, chris, I will ignore the speaker queue
10:21 [Martin]
+q
10:21 [jeffm]
+q
10:21 [scribe]
DaveO: I have built SOAP systems doing exactly this. If you take how vendors talk about ws. IBM developer site is example. They use travel, others use this example. This is a connonical exmple for doing WS.
10:21 [dbooth]
q+ jeffm
10:21 [jeffm]
jeffm wonders where chris is
10:22 [scribe]
chris: we don't have time to do the break outs. Suggests that we let Roger present his use case for 5-10 minutes.
10:24 [scribe]
Roger: I talked to our EDI people about what they actually do and how they would be interested in useing web services and here's the scenario. You havea big company trying to buy widgets from a small mom and pop co with a big technology difference. We actually want to do this.
10:25 [scribe]
Roger: Actors: Engineer, business analyst, lots of people. mom and pop and uncle on weekends.
10:26 [scribe]
Roger: Request for purchase, purchase order, request for invoice, purchase, payment.
10:26 [hugo]
EDI use case: http://lists.w3.org/Archives/Public/www-ws-arch/2002May/att-0323/02-WS-EDI_Use_Case.htm
10:27 [scribe]
Roger: Focus is technical infrastrcutre not the buisiness process. Payments are explicitly out of scope. Because banks have their own processes.
10:27 [scribe]
Roger: This is how process works when it works. This is less intereesting than when it doesn't. He has a list of requirements, check the use case for details. It is required that messages are ordered and identified with unique ID but not sequenced.
10:28 [scribe]
Roger: Security problem: NR, accessibility, authentication. NR is a lower level than NR but higher than auditing because it is a trusted business parter. No one is going to court over a failure. You just need somewhay to determine what happened.
10:29 [scribe]
Roger: So you need to reconciliate. So, the problems in the process are the real meat. This is where people spend their time. Transactio n log mismatch. At the end of each moth the big co will send a list of messages received to small co. The response is checked against the back office to see if there is message agreement.
10:30 [dbooth]
q+
10:30 [dbooth]
q-
10:30 [scribe]
Roger: Second scenario is that small co thinks that they weren't payed. (incorrectly). They didn't get a payment advise(?). So they got paid bu they don't know it.
10:31 [scribe]
Roger: Big purchasing department ... big co sends copies of purchase information to little co, and then little co matches and determines that they were payed.
10:31 [scribe]
Roger: Finally, example where small co gets payed and this is similar to former.
10:31 [chris]
zakim, track queue
10:31 [Zakim]
ok, chris, I will track the speaker queue
10:31 [tomCarrol]
q+
10:31 [scribe]
Roger: Real important thing is to be able to determine what happened in the past.
10:31 [GlenD]
q+
10:32 [scribe]
Martin: This type of scenario is invaluable. Some things are not in the scope of web services. Alot of the use case is human use case.
10:33 [scribe]
Roger: I disagree. Ddifferentiates (human from machine) based on log information needed vs. actual reconcilliation.
10:33 [scribe]
Martin: What extra do we need to do to be able to prove that a payment was made (for example).
10:33 [chris]
ack martin
10:34 [scribe]
Roger: It is important that there is an agreed upon method for identifying messages (in time).
10:34 [chris]
ack tom
10:34 [scribe]
Roger: A standards query for getting digest of messages would be great.
10:35 [scribe]
TomC: Looks at the abstraction. The activity being performed is ... missed it
10:35 [dbooth]
Hmm, it sounds like he's talking about "unambiguously identifying things". Sounds a lot like URIs to me!
10:35 [chris]
ack tom
10:36 [scribe]
JeffM: If the requirement is to have a logging service, and the service has to support a DB query service then that is all that you need to say - that's a solution to the problem.
10:36 [chris]
ack glen
10:36 [tomCarrol]
q+
10:36 [scribe]
JeffM: doesn't see how the use case adds more to security.
10:36 [scribe]
Roger: I think that it is significant that the financial transactions are out of scope.
10:37 [Heather]
why are the financial transactions out of scope?
10:37 [chris]
q+ jeffm
10:38 [chris]
q+ zulah
10:38 [dboo-scri]
GlenD: There are lots of scenarios. I suggest we do something to move forward. We've chosen to drill through a use case. We'll do (1) vote for one of these use cases; or (2) tonight you guys can combine them.
10:38 [dboo-scri]
Roger: Or we could split and do both.
10:38 [DaveO]
q+
10:39 [dboo-scri]
Heather: why are the financial transactions out of scope?
10:39 [dboo-scri]
Roger: Because EDI people told me they were'nt interested in it.
10:39 [dboo-scri]
s/EDI/my EDI/
10:39 [Heather]
why?
10:39 [Heather]
is there no interest from the financial industry to move to web services?
10:40 [dboo-scri]
Roger: Because it's done through the banks and the banks worry about it.
10:40 [chris]
because it gets handled by banks with lots of magical incantations
10:40 [jeffm]
roger says because his EDI people told him they didn't need to worry about it
10:40 [chris]
ack tom
10:40 [chris]
ack jeffm
10:41 [jeffm]
+q
10:41 [dboo-scri]
Tom: I think EDI has a lot of implementation issues. Reconciliation is tied to one side or the other -- not the technology.
10:41 [dougb]
q+
10:41 [dboo-scri]
Roger: There's a fine line btwn business side and tech side.
10:42 [dboo-scri]
JeffM: We have two proposals for scenarios. Do we need to choose? Talk more?
10:42 [DaveO]
q-
10:42 [dboo-scri]
Roger: If we have to choose, I prefer Hugo's, because it covers more of the arch.
10:43 [tomCarrol]
q+
10:43 [dboo-scri]
Doug: Hugo's use case is a superset of Rogers. At some point the main WS will order something from the hotel.
10:43 [chris]
ack all
10:43 [chris]
zakim, ignore queue
10:43 [Zakim]
ok, chris, I will ignore the speaker queue
10:44 [dboo-scri]
Tom: We're making assumptions about Hugo's scenario. Until you refine those smaller use cases, you'll never know.
10:44 [dboo-scri]
... There are a lot of assumptions about what's going on.
10:44 [dboo-scri]
Joe: I agree.
10:46 [dboo-scri]
Chris: Straw poll: Should we tackle both use cases or only one?
10:46 [dboo-scri]
(Result of poll was roughly equal)
10:47 [tomCarrol]
q+
10:47 [Heather]
just travel
10:47 [chris]
what are you doing in rahliegh?
10:47 [DaveO]
q+
10:47 [chris]
cant spell
10:47 [jeffm]
q+
10:48 [Heather]
are you gong to break out?
10:48 [GlenD]
q+
10:48 [zulah]
Not today we aren't
10:48 [dboo-scri]
Tom: If we decide to split up based on various aspects of security, then we'll get more benefit out of looking at only one case.
10:48 [soliton]
hi, Zula and Heather,
10:48 [soliton]
are we still do the reliability meeting?
10:49 [Martin]
q+
10:49 [dboo-scri]
GlenD: You'll never get all the way to the bottom.
10:49 [zulah]
Are we? I'm tired and would like to be out of here at 5:30-6ish.
10:49 [DaveO]
q?
10:49 [Heather]
soliton, sure
10:49 [Daniel]
no luck, it's use cases all the way down
10:49 [Heather]
but, i admit to being tired as well
10:49 [dboo-scri]
DBooth: Could they be adequately combined?
10:49 [zulah]
Okay, then, can we make it short and depending on whether or not this completes?
10:49 [dboo-scri]
Roger: I don't think so.
10:50 [dboo-scri]
Chris: Straw poll: Who votes for Hugos versus Rogers?
10:50 [dboo-scri]
(Result: Unanimous for Hugo's)
10:50 [Heather]
heather votes for hugo's too
10:50 [soliton]
ok, if this meeting does not drag too long.
10:51 [DaveO]
q?
10:51 [dboo-scri]
Chris: So I'd like to break up and look end-to-end at these various security aspects by breaking into groups.
10:51 [dboo-scri]
... People should look at Hugo's use case and scenarios, such as HTTP.
10:51 [dboo-scri]
GlenD: What will be the end result?
10:52 [dboo-scri]
Chris: Do we have the right usage scenarios? Do they articulate the security constraints? Do they identify where we need to fill in the gaps? I'd like to see that.
10:52 [dboo-scri]
... So we can use that for the end of tomorrow morning, for prioritization.
10:53 [dboo-scri]
Roger: I suggest we make one of the hotels' be a small B&B.
10:53 [dboo-scri]
Others: good idea.
10:54 [dboo-scri]
GlenD: We should leave the choice of particular implementations up to the groups doing them.
10:54 [dboo-scri]
... The MEP matters if you do channel level security, but for authorization it doesn't.
10:54 [dboo-scri]
... Any implementation detail should be left to the group doing it.
10:55 [dboo-scri]
Chris: But I want enough info out of this for valid usage scenarios to charter new WGs.
10:56 [dboo-scri]
GlenD: But depending on the implementation decisions, the security issues can change very much. Therefore I want to leave it to the groups doing it.
10:56 [dboo-scri]
Joe: As long as we cover all of the security aspects I'll know if the solution is ok.
10:57 [dboo-scri]
Glend: There may be times that you'd need to posit "now we're using HTTP".
10:58 [dboo-scri]
Chris: So tomorrow, Martin will lead one group, GlenD another, DaveO another.
11:00 [dboo-scri]
Chris: Martin does Authentication, GlenD does Integrity, DaveO does Confidentiality.
11:00 [dboo-scri]
MarkB: Is there somethign for a third party trust relationship?
11:02 [dboo-scri]
Chris: We're focusing on a phased approach for chartering WGs. Objective is to ID the scope of the 1st phase WGs.
11:02 [dboo-scri]
MarkB: At what point would that be addressed?
11:02 [dboo-scri]
Chris: We have until mid July.
11:03 [dboo-scri]
.. We should come up with 6 bullet items that you might see in a charter.
11:03 [dboo-scri]
MarkB: I think we need to address the a priori interface for the 3rd party case.
11:04 [dboo-scri]
DaveO: There are at least 3 scenarios: #63, 64, 61, 62.
11:04 [chris]
s63 authn, s64 integrity, s61& s62 confidentiality
11:05 [dboo-scri]
... Those point to solutnios, but they identify the things.
11:05 [dboo-scri]
... But this would be the place to plunk our results.
11:05 [dboo-scri]
MarkB: I can bring up my case in that context.
11:05 [Daniel]
take care all
11:06 [dboo-scri]
[Meeting ajourned]
11:06 [soliton]
ok, zula and Heather, we have a quick one on reliability
11:06 [soliton]
anyone else ?
11:06 [zulah]
Break quickly and then I suggest we take up AC007.
11:07 [soliton]
agree
11:07 [soliton]
5 minutes.
11:07 [Heather]
ok
11:10 [soliton]
anyone else from the Reliability task force?
11:11 [Heather]
im here
11:40:01 [RRSAgent]
RRSAgent has joined #ws-arch
11:47:51 [mikem]
mikem has joined #ws-arch
11:51:48 [Eric]
Eric has joined #ws-arch
11:52:48 [MChapman]
just about to begin again
11:54:00 [hugo]
TAP demo: http://tap.stanford.edu/cgi-bin/w3csearch.pl?q=eric+miller&sitesearch=w3.org
11:54:15 [quit]
quit has joined #ws-arch
11:54:41 [quit]
quit has left #ws-arch
11:55:06 [zulah]
zulah has joined #ws-arch
11:57:49 [dougb]
dougb has joined #ws-arch
11:58:02 [chris]
chris has joined #ws-arch
11:58:56 [shishir]
shishir has joined #ws-arch
11:59:12 [hugo]
Meeting resumed
11:59:22 [jdmunter]
jdmunter has joined #ws-arch
11:59:34 [jeffm]
jeffm has joined #WS-Arch
11:59:50 [dbooth]
dbooth has joined #ws-arch
12:00:32 [Roger]
dbooth, take a look at http://www.opencyc.org
12:00:52 [dbooth]
Roger, here is the TAP site, the project at Stanford that has the demo of a semantic search: http://search.alpiri.com/wsi-bin/flek.wsp/tap?term=boston&method=search&locate=1&btnG=Search
12:01:19 [TomCarrol]
Review of the Glossary
12:02:24 [Heather]
ok I'm ready
12:02:32 [zulah]
zulah has joined #ws-arch
12:02:33 [Heather]
anyone else out there remote from the F2F?
12:03:03 [zulah]
Tom, I can't take notes due to poor connection over here. Will fix and then take over
12:03:49 [quit]
quit has joined #ws-arch
12:03:52 [Eric]
I'm remote
12:03:56 [mchampion]
I'm remote
12:04:33 [Eric]
I've dialed into the concall number but it says I'm the only one on it
12:04:34 [quit]
tom, I can take over with notes. WOuld you like this?
12:04:43 [Dave]
Dave has joined #ws-arch
12:04:59 [Heather]
the phone in the room does not work
12:05:06 [quit]
quit has left #ws-arch
12:05:10 [Heather]
as far as i know there isn't any phone support... just IRC
12:05:13 [TomCarrol]
AllenBr: The glossary only contains the lexicon and as the document goes foward what structure should the glossary have? where do we draw the boundries of the document? ihow are the ilities incorporated into the glossary?
12:05:23 [zulah]
zulah has joined #ws-arch
12:05:27 [Heather]
so we are at their mercy for details...
12:05:28 [Dave]
zakim, Dave is DaveO
12:05:29 [Zakim]
sorry, Dave, I do not recognize a party named 'Dave'
12:05:39 [Dave]
zakim, Dave is known as DaveO
12:05:40 [Zakim]
I don't understand 'Dave is known as DaveO', Dave. Try /msg Zakim help
12:06:07 [Dave]
zakim help
12:06:07 [TomCarrol]
Daniel: are we going to share this glosary with the rest of the web services activity?
12:06:20 [Dave]
sigh
12:06:45 [dbooth]
zakim, help
12:06:46 [Zakim]
Please refer to http://www.w3.org/2001/12/zakim-irc-bot for more detailed help.
12:06:47 [Zakim]
Some of the commands I know are:
12:06:48 [Zakim]
xxx is yyy - establish yyy as the name of unknown party xxx
12:06:51 [Zakim]
if yyy is 'me' or 'I', your nick is substituted
12:06:52 [Zakim]
xxx may be yyy - establish yyy as possibly the name of unknown party xxx
12:06:54 [Zakim]
I am xxx - establish your nick as the name of unknown party xxx
12:06:56 [Zakim]
xxx holds yyy [, zzz ...] - establish xxx as a group name and yyy, etc. as participants within that group
12:06:58 [Zakim]
xxx also holds yyy - add yyy to the list of participants in group xxx
12:07:01 [Zakim]
who's here? - lists the participants on the phone
12:07:02 [Zakim]
who's muted? - lists the participants who are muted
12:07:04 [Zakim]
mute xxx - mutes party xxx (such that 60# will not work)
12:07:06 [Zakim]
unmute xxx - reverses the effect of "mute" and of 61#
12:07:08 [Zakim]
is xxx here? - reports whether a party named like xxx is present
12:07:10 [Zakim]
list conferences - reports the active conferences
12:07:11 [Zakim]
this is xxx - associates this channel with conference xxx
12:07:12 [Zakim]
excuse us - disconnects from the irc channel
12:07:13 [Zakim]
I last learned something new on $Date: 2002/06/10 13:18:51 $
12:07:27 [Dave]
zakim, I am DaveO
12:07:28 [Zakim]
sorry, Dave, I do not see a party named 'DaveO'
12:07:42 [hugo]
Dave, try /nick DaveO
12:07:48 [TomCarrol]
Chris: there is no cononical way to organize the glossary?
12:07:54 [mchampion]
Open the pod bay door, Zakim ... I can't do that Dave, you're planning to unplug me :-)
12:08:03 [DaveO]
wahoo
12:08:25 [hugo]
Zakim, only knows about people connected to the phone bridge
12:08:26 [Zakim]
I don't understand 'only knows about people connected to the phone bridge', hugo. Try /msg Zakim help
12:08:48 [DaveO]
*double sigh*
12:09:41 [scribe]
Chris: how self contained is this document (what is the scope of the glossary).
12:10:09 [cgi-irc]
cgi-irc has joined #ws-arch
12:13:09 [zulah]
Tom, would you like me to take over scribing now? I seem to have my connect problems fixed.
12:13:22 [omh]
omh has joined #ws-arch
12:14:29 [scribe]
What do we do with terms that have multiple definitions?
12:15:01 [scribe]
Allen: Each definition must be able to reference the author.
12:16:27 [scribe]
Joe: Once the term is in the glossary. the term would then be reserved.
12:17:18 [Heather]
words in dictionaries have multiple meanings in differnet context's, wouldn't that be true for glossarys as well?
12:17:27 [scribe]
Joel: The glossary should have as much detail to clearly identify the definition of the term given its context.
12:18:34 [scribe]
Chris: a singular glossary provides single reference point for the associated working groups.
12:19:23 [scribe]
Roger: is the keeping one glossary feasible? given the differences between the working groups.
12:19:43 [Heather]
i would think it would be feasible and NECESSARY within the web services activity
12:20:20 [scribe]
DavidB: Multiple definitions are possible and may be necesary. It the nmultiple def. case the context must be defined.
12:20:36 [Heather]
agreed
12:20:47 [chris]
source, context, owner/authorship, multiple definitions allowed, but not preferred
12:20:59 [Roger]
Heather - look at "Service" in the existing glossary.
12:21:17 [dbooth]
Another term for "context" is "field of use"
12:21:30 [Heather]
i'm looking at Service...
12:21:37 [Heather]
it says 'collection of endpoints'
12:21:41 [Roger]
There are two.
12:22:13 [scribe]
Chris: comments on the glossary should go to the list along with additions.
12:22:37 [Heather]
it would help if this were in alphabetical order
12:22:43 [scribe]
AllenBr: Please provide sources with your additions.
12:23:11 [Roger]
Stylesheets are envisaged yielding different organizations.
12:23:15 [dbooth]
Heather, Allen said he can generate aphabetical in the next pass.
12:23:27 [JensM]
JensM has joined #ws-arch
12:23:36 [Heather]
so there are 3 definitions for service... 2 in that one and 1 on the first page
12:23:53 [Heather]
thankyou allen
12:25:14 [Roger]
I just thought that they were amazingly different.
12:25:15 [scribe]
We are now talking about WS security working group
12:25:29 [Heather]
how are we reviewing the glossary? Term by term?
12:26:01 [scribe]
chris: How big is the WS security WG? what do we need to see in the group?
12:26:21 [scribe]
Joe: Lets start with the requirements that we already have.
12:26:48 [scribe]
Glen: We should be framing the security problem.
12:27:05 [zulah]
I am scribe
12:27:15 [zulah]
zakim, I am scribe
12:27:17 [Zakim]
sorry, zulah, I do not see a party named 'scribe'
12:28:06 [scribe]
Chris: the question is, do we see a ws working group as the working group that solves world hunger for mankind or a specific targeted focused WG?
12:28:20 [DaveO]
q+
12:28:21 [scribe]
Chris: somewhere between the two extremes?
12:28:23 [Daniel]
q+ daniel
12:28:29 [jeffm]
q+ jeffm
12:28:29 [Roger]
q+
12:28:36 [Heather]
q+ heather
12:28:49 [scribe]
DaveO: I made a pitch in email about what a rough starting set of requirements would be.
12:29:09 [joe]
q+
12:29:26 [scribe]
DaveO: Let's have a security group talk about a framework, details of a trust model, task it with specific technological soluntions to authentication, integrity
12:29:35 [scribe]
DaveO: encryption
12:29:57 [scribe]
DaveO: knowing that there are others (e.g., Authorization, non repudiation),
12:30:13 [scribe]
DaveO: This is a starting point pitch
12:30:19 [mchapman]
q+
12:30:40 [scribe]
Daniel: Just in terms of the scope the ideas are good. We should confine the cope to not include world hunger. Confine it to security problems specific to WS architecture.
12:30:59 [scribe]
Daniel: Confine the scope as much as we can. Take advantage of others work
12:31:14 [scribe]
Chris: Just as a baseline, the WS activity is not charter to go beyond the bounds of WS
12:31:32 [scribe]
Chris: So you are saying not world hunger even for web services?
12:31:36 [scribe]
Daniel: yes
12:32:00 [tomCarrol]
q+
12:32:04 [scribe]
JeffM: We have requirements, we should pick a subset of generally useful requirements (relevant subset)
12:32:29 [scribe]
JeffM: pick pieces and fill in terra incognito. Whatever set of requirements that we choose it must address and end to end case.
12:32:48 [scribe]
JeffM: it doesn't have to be all cases but one in depth
12:33:26 [scribe]
Roger: question? is there another axis? On one extremem you make up new languages and syntaxes, on the other there are existing solns. with recommednations on how to put them together.
12:33:35 [scribe]
Roger: Which is our job?
12:33:37 [DaveO]
q+
12:34:02 [scribe]
Chris: In making our recommendation we have the option to propose putting pieces together or additions, changes
12:34:27 [scribe]
Roger: No, will this group in the process of creating the architecture specify which pieces to make security work (specifically).
12:34:39 [scribe]
Chris: we cannot dictate soln. We can provide baseline.
12:35:01 [scribe]
Roger: No, will there be components of security solutions in the architecture?
12:35:16 [Daniel]
q+ Allen
12:35:50 [scribe]
Roger: DaveO: Say we decide that we should have auser name/password for authentication then we will say this in architecture and charter.
12:36:06 [scribe]
DaveO: If a WG tells us that we a re wrong, we will fix it in the document.
12:36:35 [scribe]
Roger: If I am trying to implement WS and I use the arch document, will there be any answers in there for how I implement security?
12:36:49 [scribe]
Joe: General guidelines but more specific will come from security group.
12:37:06 [scribe]
Glen: In other words, not really just like we don't say specific things about implementing transactions.
12:37:25 [scribe]
Chris: But we can provide starting points (e.g., XML digital signatures exists, use it).
12:38:17 [scribe]
DaveO: What I think is being asked is what is the authority of the arch group in binding things? So if we say use Dig sign. is this authorotative.
12:38:22 [scribe]
Chris: At best we can influence.
12:38:37 [Daniel]
Heather you're up
12:38:46 [Heather]
k
12:38:48 [hugo]
I think that it depends on how our recommendations are phrased
12:39:09 [Heather]
I'm a little nervous about giving a new security wg carte blanche to develop a new security framework
12:39:26 [Heather]
it smacks of architecture groups having baby architecture groups
12:39:54 [Heather]
should we provide a 'broad framework' as part of our work
12:40:12 [Heather]
leaving them to figure out how to implement those components w/ existing specs and new specs?
12:40:33 [scribe]
Joe: Would like to help move the process along by returning to the six items from the requirements doc. 1) authentication, integrity, encryption, 2) authorization, 3) NR, 4) accessibility (DOS), 5) rest of the stuff in CSF and requirements. He suggests that this is the prioritization.
12:40:35 [Heather]
ok.. thats it
12:41:19 [scribe]
DaveO: I agree
12:41:43 [tomCarrol]
+1 on the framework
12:41:53 [Roger]
Heather, what did you mean by
12:41:56 [jeffm]
heather, you're stuff is up on the board
12:41:58 [scribe]
DaveO: I think that heather is getting at the fact that the framework has to have some detail to provide constraints. We are not writing a blank check.
12:42:01 [Roger]
"OK, that's it".
12:42:05 [jeffm]
s/you're/your
12:42:07 [chris]
q?
12:42:16 [chris]
ack heather, joe
12:42:25 [Heather]
by 'ok thats it' i meant </Heather>
12:42:28 [scribe]
Joe: We need to supply detail? Yes because this lends credibility>
12:42:32 [Heather]
or end of tirade
12:42:40 [Roger]
Thanx.
12:43:18 [scribe]
TomC: I was wondering if when we send a WG off to work, are we also going to privide a well defined process for making changes back into the architecture
12:43:38 [tomCarrol]
Mchapman your up
12:44:03 [Daniel]
q+
12:44:08 [scribe]
Summary: We own framework, set context, but offer a process for feedback into changing the architecture.
12:44:43 [scribe]
Martin: Question is, when we charter the security group, do we pre-phase them or only charter them for a specific phase?
12:44:52 [tomCarrol]
q- TomCarrol
12:45:01 [scribe]
Daniel: this is how SOAP works today.
12:45:20 [scribe]
Summary: One working group with phasing (or re-chartering for each phase).
12:45:29 [scribe]
Martin: So what we should be debating is phase 1
12:45:32 [chris]
ack tomcarrol, mchapman
12:45:49 [Heather]
+1 for rechartering for phases
12:46:17 [dougb]
q+
12:46:25 [scribe]
OIsio: Point of process, needs to be some life after wreck process so that there is some formal manner to make changes.
12:46:29 [chris]
ack daveo
12:47:33 [scribe]
DaveO: How convenient. I asked TBL how ammenable the director is to us rechartering in mid flight. HE said go for it, no blank check but time to market is important. I interpret this as a broad endorsment to get this stuff out there.
12:48:01 [chris]
ack allen
12:48:12 [scribe]
DaveO:No change to the process document. Its the willingness of the AC.
12:48:43 [joe]
q+
12:48:46 [scribe]
DaveO: Process does not mean that we have to do things slowly
12:49:43 [scribe]
AllanB: There is another kind of structuering that comes from the overall architecture. YOu can imagine doing security at the messaging level. You can imagine role security at the orchestration level. These offer a basis for constraining what kinds of things are considered in each phase.
12:49:54 [scribe]
AllenB: So phase 1 could be messaging security.
12:50:28 [jeffm]
q+
12:50:33 [chris]
ack daniel
12:50:34 [scribe]
Joe: Good point. For his priorities, these can be done in multiple ways: messaging, etc.
12:50:45 [Heather]
define messaging security for me...
12:51:22 [GlenD]
security on a per-message basis
12:51:28 [scribe]
AllenB: So there is more than one dimension to this and we can look at the matrix and determine what we want to fill in.
12:51:30 [GlenD]
as opposed to securing a channel (ssl)
12:52:12 [chris]
ack dougb
12:52:15 [Heather]
could also match phase.... define their phase one in corresspondence with our phase one
12:52:32 [mchapman]
q+
12:52:34 [GlenD]
phase-locked groups
12:52:36 [scribe]
Daniel: following martins earlier suggestion that we iterate on phases. We should pick the highest priority probelms and ask the security group to address them in the first pass (and so on). Dave has identified the high priority items. We should phase as probelm in priority (as opposed to as solutnions).
12:52:54 [DaveO]
I think Allen proposed that there is another aspect of security, that there are the styles of security: message, connection, role based (e.g. for orchestration)
12:53:05 [scribe]
DougB: Have the security WG recognize the boxes that we provide them mapped to existing standards. Is that our job or some WGs job?
12:53:18 [scribe]
DaveO: Great.
12:53:45 [scribe]
DougB: Does the security group recognize existing standards and fill them intoboxes or does the arch team do this (clarifiation)
12:54:13 [chris]
q?
12:54:35 [scribe]
DaveO: this came up on the tag. They felt that it was disirable for the arch group to provide details in fleshing out the scope of the box.
12:54:56 [scribe]
Chris: Again, all we can do is hope to influence.
12:55:43 [scribe]
Joe: Are we going to do the threat model in WSA or by the new WG?
12:56:38 [dougb]
higher level question Joe and I are getting at: Are we writing the security portions of our architecture document (referencing existing standards and the threat model) or is the Security WG doing that?
12:56:47 [scribe]
Chris: The order of the requirements document did not imply that we had prioritized.
12:56:47 [Heather]
if we are going to lay out the high level framework and boxes, we may have do some level of threat model
12:56:52 [chris]
ack joe
12:57:02 [chris]
ack jeffm
12:58:00 [scribe]
JeffM: As part of this discussion, will we consider the end to end case. Pick a couple of scenarios as examples and do the analysys so that we scope this by end-to-end for specific technologies as opposed to just stating messaging security.
12:58:15 [scribe]
Chris: Did you mean use cases?
12:58:22 [scribe]
JeffM: yes, the high level ones.
12:58:40 [DaveO]
lol
12:58:59 [chris]
ack mchapman
12:59:17 [Daniel]
Dave loved that :)O
12:59:24 [Heather]
:-)
12:59:35 [scribe]
martin: even though we work at the same company ;) I want to really support this. Working solutions are importnat...
13:00:05 [scribe]
Chris: in our current scenarios we describe stack type stuff. Are you going vertical or horizontal?
13:00:11 [Daniel]
Dave and I used to be friends! that was back in XML-CORE days tho
13:00:14 [Daniel]
LOL
13:00:16 [scribe]
Martin: All the way down and then back up again.
13:01:32 [scribe]
Jeffm: When some people think end-to-end they think multiple hops, routing, etc. and that's not what I mean. What I mean is that whatever use case we pick, we do it end-to-end.
13:01:43 [scribe]
Chris: Do we care about multiple hops or is this phase 2?
13:01:51 [scribe]
Martin: What is multiple hopS?
13:02:06 [DaveO]
It was the large trout aspect, not so much the recipient ;-). I do prefer salmon, but I'm from the west coast of Canada...
13:02:17 [DaveO]
q+
13:02:26 [scribe]
Martin: My point is that I want to see a full working solution between client and server as opposed to chunks of security that don't fit together.
13:02:29 [Heather]
security info propogation is going to be an immediate problem...
13:02:42 [Heather]
+1 to martin
13:02:59 [scribe]
DaveO: suggestion to deal with this is to do a use case and soe usage scenarios that treat particular aspects of the end-to-end.
13:04:03 [dougb]
+1 to DaveO, subject seems to depend upon use case chosen to frame security WG / also appreciate Martin's extreme programming (extreme architecture?), continuously working process.
13:04:52 [maa-in]
+ extreme UML :-)
13:04:58 [Daniel]
it's nothing to do with extreme anything, it's basic UP iteration
13:05:04 [scribe]
Chris: Here's what I hear: Not boiling the ocean. Targeted. We have suggestions for different approaches or synergisitc approaches for how we might determine prioritization. I sense a stronglevel of rough agreement as to end-to-end solutions. We have a notion of phases. that we start something off and it evolves. We may need overlap of working groups due to market forces.
13:06:09 [tomCarrol]
To be complete would we not need a complete set of use case that describe a web service and use those for the context of the security WG??
13:06:12 [scribe]
chris: break at 3:30. Afternoon for use cases. Right now, could we given this ... pick a prioritized subset of joes and allens suggestions for a phase 1 charter? Can we do that now?
13:06:39 [scribe]
DaveO: We have atleast one use case already - Hugo wrote it. Why don't we look at it and work the process?
13:06:58 [scribe]
martin: Let's narrow the use case for securiyt aspects.
13:07:50 [scribe]
Chris: We have Joe's onion, let's focus on the core of the onion. and thinking about phase 1 only.
13:07:52 [tomCarrol]
Would we want to narrow the use case or would that be delegated to the security WG
13:08:27 [scribe]
Chris: How do we want to break up?
13:08:39 [scribe]
Daniel: want to tackle high priority stuff.
13:08:51 [scribe]
Roger: You could also (in parallel?) tackle the EDI use case
13:09:29 [scribe]
Chris: Of #1 (auth, integrity, confidentiality), what would go into a phase 2?
13:09:41 [scribe]
Joe: It is useless to do integrity and confidentiality alone.
13:10:23 [scribe]
Chris: So is #1 too broad, do we want to further narrow it?
13:10:28 [Daniel]
q+
13:10:37 [DaveO]
q-
13:11:42 [scribe]
Daniel: Maybe there is some low hanging fruit here because a great deal of work has been done on some of this (e.g., auth and authorization).
13:11:47 [chris]
ack daniel
13:12:38 [scribe]
DaveO: The solutions and how they deal with XML and the web have not been around. We are just starting to see first proposals on some of these.
13:13:41 [scribe]
Joe: More critical problem for XML encryption is key districution. All we have talked about is message level security but channel level security has been around and that's low hanging fruit.
13:13:58 [scribe]
Daniel: I would rather talk about problems that solutions.
13:14:16 [scribe]
DaveO: but solutions introduce problems. So which of the new problems do we wish to tackle.
13:15:05 [scribe]
DaveO: the process model one is really interesting. This has come up with XML. Can or should an author be able to indicate the steps a recipient should do with a particular message...
13:15:36 [scribe]
DaveO: default processing model, explicit one... clearly in WS we have the same issue. How does a reciever specify the processing model that it will publish to the world.
13:15:53 [Daniel]
do we think we want to adopt/s[pecify a particular processing model?
13:16:24 [scribe]
DaveO: e.g., i will do integrity checks after confidentiality. So sender mus invert this. Security clearly introduces a processing model. We should stay away from tackling this right up front ("there be dragons").
13:16:45 [scribe]
Joe: true for message based but channel based already solved.
13:17:05 [scribe]
DaveO: Missed point, the order that you do things is either the canonical order or you have to publish processing orer.
13:18:02 [scribe]
Chris: Okay, how are we going to divide up this work?
13:18:29 [scribe]
DaveO: suggest taking hugo's use case and then breaking it up around 3 scenarios (auth, integrity, and confidentiality.
13:18:42 [scribe]
Chris: Hugo, do you want to walk us through the use case?
13:18:45 [hugo]
Travel agent use case: http://www.w3.org/2002/06/ws-example.html
13:20:17 [scribe]
Chris: 15- 20 break...
13:21:43 [Heather]
whew!
13:35:48 [dougb]
dougb has joined #ws-arch
13:46:45 [scribe]
Hugo: Will present travel agent use case.
13:47:38 [scribe]
Hugo: There is a customer that wants to use travel agents service to book vacation package. Travel agent service will use hotel and irline, credit card co. web services.
13:48:02 [scribe]
Hugo: I divided the use case into 4 usage scenarios. which are basically the steps that the whole thing will go through to book the vacation package.
13:48:18 [scribe]
Hugo: Of course I made simplifications - security is not considered at all.
13:48:29 [scribe]
Hugo: If you want to go step by step, its complicated.
13:49:08 [scribe]
Roger: Wants to quibble. In talking to people who wanted to use web services. When dealing with credit card service, you are dealing with something that is already firmly in place and is not going to change.
13:49:20 [scribe]
Martin: So there are definitely actors, either people or external systems.
13:49:34 [scribe]
Roger: My point is that it is unlikely that these will operate as ws in the new future.
13:49:46 [scribe]
DaveO: Point is what things would look like using ws technology.
13:50:34 [scribe]
Roger: make this point because if you are prioritizing, some legs of a use case are unlikely to change in the near future so they are low priority.
13:50:51 [scribe]
Hugo: Even though parts of the use case won't be used for a very long time, they are still illustrative.
13:52:18 [scribe]
Hugo: User requests travel for some travel dates. Hugo has a complex diagram for this in his document. The customer provide the travel agent some travel dates and the service discovers airlines and then gets descriptions of how to interact with those. So the ontology thing means that the descriptions made sense to everyone (magic).
13:53:04 [scribe]
Hugo: So queries are made, results are returned, merged and sent to the customer. The ustomer chooses and the travel agent service books the flight.
13:53:34 [scribe]
Hugo: Then moves to the hotel reservation (which works much like the airline situation).
13:55:42 [scribe]
Hugo: From here, (purple stuff), when consumer boks hotel, the trravel service gives the cutsomer payment options. The travel agent service interfaces with the credit company to get a guarantee of payment.
13:56:49 [scribe]
Hugo: At this point (Next diagram), the travel company has confirmation and then books the hotel with the credit information. Travel agent company creates vacation package and bill.
13:57:54 [scribe]
Hugo: Security wise, there is confidentiality, credit card company stuff (certificates and guarantee) - identity, encryption for credit card number.
13:58:25 [scribe]
Joe: Integrity cwould come into play since you don't want someone to change your data (london to paris) in transit. Authorization as well.
13:59:13 [scribe]
Roger: We havea system in our company that works exactly like this today. If we want to make this realistic, we could determine exactly how these work. There are sll sorts of elaboration that happen in reality. For example people doing travel on behalf of another person.
13:59:45 [scribe]
DaveO: this is a great start. There are issues of communication, QOS, Orchestration, etc. I love the travel service kind of use case.
13:59:51 [jeffm]
+1
14:00:06 [scribe]
Joe: You can build this up. So you could add NR, etc.
14:00:21 [jeffm]
jeffm: +1
14:00:41 [scribe]
Martin: So, what's the end-toend minimal thing that we need to do to make this secure. The customer looks up something and books, how do we make this minimally secure.
14:01:11 [scribe]
JeffM: Instead of taking the whole thing as and end-toend we could take "little t" transactions and deal with each.
14:01:46 [scribe]
Jeffm: security group might be chartered for little enchilada as apposed to the whoole thing (presumably staging).
14:02:09 [soliton]
soliton has joined #ws-arch
14:02:34 [scribe]
Roger: The odering has to do with what gets done first and what is needed first. There are portions of this that are cast in stone (the real world). Some of the example doesn't need to be dealt with in the near future.
14:03:32 [scribe]
TomC: I tend to agree with the Oracle crowd. At a certain level of abstraction, in order to identify the meaningfl parts for a security WG we have to get to lower level parts of the use case.
14:04:07 [scribe]
Jeffm: explicitly not trying to determine which things have to be done first.
14:05:31 [omh]
omh has joined #ws-arch
14:05:40 [jeffm]
To clarify: I'm suggesting that what is done first is the end-to-end security for the entire steel thread(s).
14:05:42 [scribe]
Chris: So if I want to pull this apart: How do we know that its hugo, integrity, confidentiality,
14:05:44 [tomCarrol]
q+
14:05:48 [maa-in]
q+
14:05:52 [Roger]
q+
14:06:00 [scribe]
Thanks Jeff ;)
14:06:37 [chris]
ack tom
14:06:54 [chris]
q?
14:07:04 [DaveO]
q+
14:07:09 [jeffm]
Clarify(cont): The prioritzation task is picking the "right set" of steel threads to scope the first phase.
14:07:53 [scribe]
Tom: familiar with the eprocirement scenario. You have to look at the small use cases one at a time. That is you don't get to pull the security areas out one at a time (integrity, authorization,etc.). Must find pertinent use cases in order to define a domain.
14:08:24 [scribe]
martin: You didn't mention authorization or permissions.
14:08:30 [scribe]
Chris: They are all there.
14:09:06 [JensM]
JensM has joined #ws-arch
14:10:04 [scribe]
Chris: Key point is getting to the point that roger was making, we could do all of the security things (1-5) or...
14:10:16 [Martin]
q+
14:10:30 [tomCarrol]
q+
14:11:00 [scribe]
CHris: we could do them all, we can parallelize based on specific aspects. In terms of encryption where you have only a credit card number, did you really need XML encryption?
14:11:15 [scribe]
Joe: You could do this two ways (SSL is option).
14:12:36 [scribe]
Chris: Integrity is fundamental (due to multiple), authentication is fundamental, and confidentiality. can we focus on just these three.
14:13:05 [chris]
ack maa
14:13:12 [scribe]
Martin: The scenario has to touch on all of them otherwise you will miss something. The steel thread must address all points.
14:13:21 [hugo]
q+
14:13:29 [scribe]
Joe: This is what he was refering earlyier to the minimal set.
14:13:40 [chris]
ack roger
14:13:56 [scribe]
Roger: Does not like the use case because he doesn't see the business driver.
14:14:31 [scribe]
Roger: sees apples and oranges of existing systems of different types. He really wants to show the EDI use case because it is different and the business drivers are clearly displayed.
14:14:33 [joe]
q+
14:14:42 [chris]
ack daveo
14:15:50 [scribe]
DaveO: In terms of the break up, another way to tease out requirements is to look at what is going on in terms of the channel (e.g., email). So this type of variability might be another way to go in terms of structuring this.
14:15:55 [chris]
ack martin
14:16:11 [scribe]
Martin: This use case represents 80% of what the web is used for.
14:16:18 [chris]
q+ jeffm
14:16:34 [chris]
ack tom
14:18:06 [scribe]
TomC: On rogers point, views the use case as an abstraction (that is that you can abstract out the business portion - the travel agent). The trust model varies based on what side of the travel agent service I belong to. I have trust with suppliers that is completely different that with the general public. So security may be completely different and require completely different technical implementations.
14:18:14 [chris]
ack hugo
14:18:44 [scribe]
Hugo: Martin said that we should have a look at everything rather than limiting to the 3. If we have a look at everything, everything will be large (e.g., privacy).
14:18:48 [chris]
ack joe
14:19:47 [scribe]
Joe: Responds to Roger's use case comment. Can cover all of the security aspects with buying a book from Amazon.com. The EID use case could be different because it is intranet.
14:19:56 [scribe]
Roger: Not intranet, its an internet example!
14:20:09 [omh]
omh has left #ws-arch
14:20:10 [GlenD]
q+
14:20:32 [DaveO]
q+
14:20:49 [chris]
ack jeffm
14:21:23 [scribe]
Glend: two tiny comments. Regardless of whether the use case is connected to reality, it is still a useful scenario. Can we ask Roger to do a short description of his use case.
14:21:55 [chris]
ack glend
14:22:02 [chris]
q close
14:22:10 [scribe]
Roger:EDI like interacteraction betweek big and small company to to purchase widgets it is interesting because small company has different capabilityies and security aspects and guts happens when things go wrong.
14:22:56 [dbooth]
q?
14:23:02 [scribe]
Mike: How does this use case differ from the travel agent?
14:23:03 [chris]
ack daveo
14:23:06 [chris]
ignore q
14:23:22 [scribe]
Roger: Assumption here is that you have trusted partners.
14:23:24 [Martin]
q martin
14:23:31 [Martin]
q+
14:23:45 [chris]
zakim, ignore q
14:23:46 [Zakim]
I don't understand 'ignore q', chris. Try /msg Zakim help
14:23:53 [chris]
zakim, ignore queue
14:23:56 [Zakim]
ok, chris, I will ignore the speaker queue
14:23:59 [Martin]
+q
14:24:03 [jeffm]
+q
14:24:10 [scribe]
DaveO: I have built SOAP systems doing exactly this. If you take how vendors talk about ws. IBM developer site is example. They use travel, others use this example. This is a connonical exmple for doing WS.
14:24:26 [dbooth]
q+ jeffm
14:24:28 [jeffm]
jeffm wonders where chris is
14:24:46 [scribe]
chris: we don't have time to do the break outs. Suggests that we let Roger present his use case for 5-10 minutes.
14:27:15 [scribe]
Roger: I talked to our EDI people about what they actually do and how they would be interested in useing web services and here's the scenario. You havea big company trying to buy widgets from a small mom and pop co with a big technology difference. We actually want to do this.
14:28:04 [scribe]
Roger: Actors: Engineer, business analyst, lots of people. mom and pop and uncle on weekends.
14:29:17 [scribe]
Roger: Request for purchase, purchase order, request for invoice, purchase, payment.
14:29:39 [hugo]
EDI use case: http://lists.w3.org/Archives/Public/www-ws-arch/2002May/att-0323/02-WS-EDI_Use_Case.htm
14:29:45 [scribe]
Roger: Focus is technical infrastrcutre not the buisiness process. Payments are explicitly out of scope. Because banks have their own processes.
14:30:29 [scribe]
Roger: This is how process works when it works. This is less intereesting than when it doesn't. He has a list of requirements, check the use case for details. It is required that messages are ordered and identified with unique ID but not sequenced.
14:31:25 [scribe]
Roger: Security problem: NR, accessibility, authentication. NR is a lower level than NR but higher than auditing because it is a trusted business parter. No one is going to court over a failure. You just need somewhay to determine what happened.
14:32:35 [scribe]
Roger: So you need to reconciliate. So, the problems in the process are the real meat. This is where people spend their time. Transactio n log mismatch. At the end of each moth the big co will send a list of messages received to small co. The response is checked against the back office to see if there is message agreement.
14:32:50 [dbooth]
q+
14:33:08 [dbooth]
q-
14:33:12 [scribe]
Roger: Second scenario is that small co thinks that they weren't payed. (incorrectly). They didn't get a payment advise(?). So they got paid bu they don't know it.
14:33:54 [scribe]
Roger: Big purchasing department ... big co sends copies of purchase information to little co, and then little co matches and determines that they were payed.
14:34:15 [scribe]
Roger: Finally, example where small co gets payed and this is similar to former.
14:34:27 [chris]
zakim, track queue
14:34:29 [Zakim]
ok, chris, I will track the speaker queue
14:34:31 [tomCarrol]
q+
14:34:33 [scribe]
Roger: Real important thing is to be able to determine what happened in the past.
14:34:37 [GlenD]
q+
14:34:53 [omh]
omh has joined #ws-arch
14:35:00 [scribe]
Martin: This type of scenario is invaluable. Some things are not in the scope of web services. Alot of the use case is human use case.
14:36:19 [scribe]
Roger: I disagree. Ddifferentiates (human from machine) based on log information needed vs. actual reconcilliation.
14:36:33 [scribe]
Martin: What extra do we need to do to be able to prove that a payment was made (for example).
14:36:39 [chris]
ack martin
14:37:00 [scribe]
Roger: It is important that there is an agreed upon method for identifying messages (in time).
14:37:10 [chris]
ack tom
14:37:12 [scribe]
Roger: A standards query for getting digest of messages would be great.
14:37:51 [scribe]
TomC: Looks at the abstraction. The activity being performed is ... missed it
14:37:56 [dbooth]
Hmm, it sounds like he's talking about "unambiguously identifying things". Sounds a lot like URIs to me!
14:38:42 [chris]
ack tom
14:38:47 [scribe]
JeffM: If the requirement is to have a logging service, and the service has to support a DB query service then that is all that you need to say - that's a solution to the problem.
14:38:50 [chris]
ack glen
14:38:59 [tomCarrol]
q+
14:39:09 [scribe]
JeffM: doesn't see how the use case adds more to security.
14:39:25 [scribe]
Roger: I think that it is significant that the financial transactions are out of scope.
14:39:45 [Heather]
why are the financial transactions out of scope?
14:40:17 [chris]
q+ jeffm
14:41:05 [chris]
q+ zulah
14:41:13 [dboo-scri]
GlenD: There are lots of scenarios. I suggest we do something to move forward. We've chosen to drill through a use case. We'll do (1) vote for one of these use cases; or (2) tonight you guys can combine them.
14:41:20 [dboo-scri]
Roger: Or we could split and do both.
14:41:27 [DaveO]
q+
14:41:50 [dboo-scri]
Heather: why are the financial transactions out of scope?
14:42:05 [dboo-scri]
Roger: Because EDI people told me they were'nt interested in it.
14:42:14 [dboo-scri]
s/EDI/my EDI/
14:42:16 [Heather]
why?
14:42:37 [Heather]
is there no interest from the financial industry to move to web services?