IRC log of ws-arch on 2002-06-13
Due to log merging, there may be timestamp weirdnesses.
- 07:03:42 [RRSAgent]
- RRSAgent has joined #ws-arch
- 07:04:02 [hugo]
- hugo has changed the topic to: WSAWG face-to-face meeting; IRC log at: http://www.w3.org/2002/06/13-ws-arch-irc
- 07:04:08 [Heather]
- good morning
- 07:04:23 [hugo]
- good morning Heather
- 07:05:09 [dbooth]
- Yowzer, you're up earlier Heather! (Or late!)
- 07:05:22 [Heather]
- early.... yawn
- 07:05:43 [Heather]
- how was dinner???
- 07:06:53 [dbooth]
- I actually skipped the group dinner, cuz i had more work to do on my slides for today. But I had a nice quiet dinner at a cafe in front of my laptop.
- 07:07:56 [Heather]
- you are too dedicated :-)
- 07:08:17 [chris]
- chris has joined #ws-arch
- 07:12:37 [soliton]
- soliton has joined #ws-arch
- 07:12:45 [soliton]
- morning, Heather
- 07:13:01 [soliton]
- Did you get the message yesterday?
- 07:13:23 [MChapman]
- MChapman has joined #ws-arch
- 07:13:33 [Heather]
- about a requirements meeting after the meeting today?
- 07:14:06 [soliton]
- we try to have a reliability meeting after 5:00 pm
- 07:14:23 [soliton]
- so, just stay tuned
- 07:14:37 [Heather]
- ok
- 07:16:54 [TomCarrol]
- TomCarrol has joined #ws-arch
- 07:16:59 [Roger]
- Roger has joined #ws-arch
- 07:17:15 [Roger]
- Hi Heather. Is it 3 AM there?
- 07:18:17 [TomCarrol]
- It feels like 3 am here
- 07:19:26 [Heather]
- yes... its 3am
- 07:19:47 [mikem]
- mikem has joined #ws-arch
- 07:19:47 [Heather]
- I haven't seen 3am since my last child was born!
- 07:19:49 [chris]
- http://lists.w3.org/Archives/Public/www-ws-arch/2002May/0435.html
- 07:19:54 [chris]
- scribe: tomc
- 07:20:14 [Heather]
- Tom...must have been a good dinner :-)
- 07:20:16 [shishir]
- shishir has joined #ws-arch
- 07:20:34 [yinleng]
- yinleng has joined #ws-arch
- 07:20:51 [yinleng]
- yinleng has left #ws-arch
- 07:20:52 [AllenBr]
- AllenBr has joined #ws-arch
- 07:20:54 [jdmunter]
- jdmunter has joined #ws-arch
- 07:21:43 [dougb]
- dougb has joined #ws-arch
- 07:25:23 [TomCarrol]
- Comments on the rewording of D-AC002.3.1
- 07:27:33 [Heather]
- i don't see an ac002.3.1....
- 07:29:43 [TomCarrol]
- dougs email is listed above
- 07:31:08 [Daniel]
- Daniel has joined #ws-arch
- 07:31:57 [Heather]
- I'm not sure I understand the wording still....
- 07:32:07 [Daniel]
- which wording? old or new?
- 07:32:09 [Heather]
- and what happened to the superset concept?
- 07:32:10 [Heather]
- new
- 07:32:39 [Daniel]
- I don't understand the new either, I support the old wording
- 07:32:55 [Daniel]
- we are trying to get at modularization
- 07:35:26 [TomCarrol]
- D-AC002.3.1 tabled for further thought
- 07:36:29 [Heather]
- subsets of what??? the architecture? the end user interface? Is this like a wsi profile?
- 07:36:49 [Daniel]
- technologies developed for the arch.
- 07:38:05 [Roger]
- Roger has joined #ws-arch
- 07:38:06 [Daniel]
- ws-i profile is very similar idea
- 07:38:37 [TomCarrol]
- Suggestion to drop "intended audience" from D-AC005
- 07:40:41 [Heather]
- seems ok...
- 07:41:07 [dougb]
- what was KIS^5 (simple, scalable, ...)?
- 07:42:02 [TomCarrol]
- Roger: moves to accept it as is
- 07:44:13 [TomCarrol]
- D-AC005 accepted.
- 07:44:28 [TomCarrol]
- Comments on D-AC005.1
- 07:45:08 [Heather]
- what is the gist of the comments?
- 07:45:38 [Daniel]
- basically, ppl are arguing over the words, not the meaning
- 07:45:47 [Daniel]
- it needs some wordsmithing
- 07:46:07 [Heather]
- ok
- 07:47:18 [Daniel]
- we are going to explicitly modify the statements with the "should" qualifier
- 07:47:45 [TomCarrol]
- JeffM: proposed to drop.
- 07:49:22 [Heather]
- why?
- 07:50:18 [Daniel]
- Jeff sez: it isn't enforceable
- 07:50:43 [Daniel]
- David O advocates specialized jargon
- 07:50:43 [TomCarrol]
- DaveO: its all jargon and we will use jargon to describe web services
- 07:52:58 [TomCarrol]
- Those who care will resolve independantly.
- 07:53:24 [TomCarrol]
- those who care: Daniel and Alan
- 07:53:32 [jeffm]
- jeffm has joined #WS-Arch
- 07:54:05 [TomCarrol]
- Comments on D-AC005.10
- 07:54:26 [TomCarrol]
- Accepted
- 07:54:39 [chris]
- resolved: d-ac005.10 accepted
- 07:55:20 [Heather]
- what happened to 5.5-5.8?
- 07:55:22 [TomCarrol]
- Comments on D-AC005.13
- 07:55:51 [omh]
- omh has joined #ws-arch
- 07:55:51 [Heather]
- what are exotic constructions?
- 07:55:56 [dbooth]
- Can someone give me the requirements doc URL again?
- 07:56:11 [Heather]
- http://www.w3.org/2002/ws/arch/2/06/wd-wsa-reqs-20020605.html#AC002
- 07:56:15 [chris]
- resolved: remove d-ac005.13
- 07:56:21 [dbooth]
- Thanks heather!
- 07:56:24 [Heather]
- np
- 07:56:50 [Roger]
- Roger has joined #ws-arch
- 07:57:16 [TomCarrol]
- Comments on D-AC005.14
- 07:58:08 [Heather]
- i think this one has no relationship to simpleness or completeness of the architecture
- 07:58:14 [Daniel]
- *wonders how to tell if 5.14 makes any sense at all*
- 07:58:57 [Heather]
- i propose to drop (if someone hasn't beaten me to it)
- 07:59:29 [Daniel]
- we could specify the maximum cyclomatic complexity I guess
- 07:59:34 [Daniel]
- *not*
- 07:59:43 [Heather]
- :-)
- 08:00:08 [TomCarrol]
- DaveO: the goal as stated sounds good but there is no clear definition of what large amounts of code.
- 08:01:44 [Heather]
- even a simple arch can require large amounts of code depending on how the vendor choses to implement it
- 08:01:49 [shishir]
- shishir has joined #ws-arch
- 08:01:54 [TomCarrol]
- Roger: thinks it is important
- 08:02:24 [Daniel]
- I just don't care how much code it uses...more != bad code
- 08:02:46 [Daniel]
- the amount of code is not a measure of its quality
- 08:02:50 [Heather]
- i don't want us to NOT add valid components because they require large amounts of code
- 08:02:58 [Daniel]
- right
- 08:03:22 [Heather]
- i.e. security - there is NO way that bugger is NOT going to require HUGE amounts of code (by anyones definition)
- 08:03:36 [Daniel]
- security = ugh
- 08:03:57 [Heather]
- (I agree Daniel)
- 08:04:05 [TomCarrol]
- JeffM: the union of all participants causes the size to increase
- 08:05:24 [TomCarrol]
- Roger: Its important that simple things must be able to be done in simple ways avoiding unessary complexity and size.
- 08:06:20 [Heather]
- I agree with a csf of 'avoid unnecessary complexity and size'
- 08:06:28 [TomCarrol]
- Roger: Cut it
- 08:06:32 [jeffm]
- More precisely: the process of getting everyone to remove their "lie down in the road objections" often causes lots of extra complexity
- 08:06:45 [chris]
- resolved: d-ac005.13 removed
- 08:07:01 [chris]
- s/13/14/
- 08:07:01 [Heather]
- 13? or 14?
- 08:07:05 [soliton]
- Artifacts in the reference architecture should be defined in UML where applicable.
- 08:07:19 [TomCarrol]
- Comments on D-AC005.15
- 08:07:41 [Daniel]
- dear soliton: no bloody way
- 08:07:42 [TomCarrol]
- Daniel: Drop it
- 08:08:28 [hugo]
- hugo has joined #ws-arch
- 08:08:38 [Heather]
- having a goal to allow simple invocation styles may be something we don't want to lose
- 08:08:43 [Daniel]
- Uml bears the same relation to architecture that theology bears to religion, that is, none at all
- 08:08:52 [soliton]
- why? UML is well estabilished.
- 08:09:11 [TomCarrol]
- Glenn: this refers to clean modularity
- 08:09:14 [soliton]
- most programmers now are used to UML
- 08:09:18 [MChapman]
- and is excellent to defnng architectures
- 08:09:23 [soliton]
- it helps the spec to be adopted.
- 08:09:36 [GlenD]
- GlenD has joined #ws-arch
- 08:09:50 [Daniel]
- I love UML, I teach UML, I don't abuse UML by attempting to do something with it that it is not good at i.e. architecture
- 08:09:53 [yinleng]
- yinleng has joined #ws-arch
- 08:10:11 [Heather]
- what would you use instead Daniel?
- 08:10:16 [MChapman]
- define architecture
- 08:10:20 [TomCarrol]
- Gle to reword D-AC005.15
- 08:10:32 [MChapman]
- blobs that interconnect
- 08:10:35 [TomCarrol]
- Glen to Reword D-AC005.15
- 08:10:55 [jeffm]
- From my perspective: UML is simply a language
- 08:10:55 [soliton]
- soliton is puzzled by Daniel.
- 08:10:55 [Heather]
- Glen to reword to capture what gist?
- 08:10:55 [Daniel]
- I like SDML personally
- 08:11:32 [soliton]
- how many of us know SDML?
- 08:11:40 [Heather]
- i never even heard of it....
- 08:11:42 [Daniel]
- UML is okay, for software applications
- 08:11:50 [soliton]
- let alone average programmers
- 08:11:57 [jeffm]
- What's SDML - Structured Data Manipulation Language ???
- 08:11:59 [Daniel]
- but which of the 10 class 1 UML diagrams is good for architecture?
- 08:12:11 [jeffm]
- #'s 3 and 7
- 08:12:27 [soliton]
- component diagram
- 08:12:34 [soliton]
- use cases
- 08:12:53 [soliton]
- and so on ..
- 08:13:04 [Daniel]
- hmmm...Jeff sez, collaboration and component...nowhere do I get to specify the messaging
- 08:13:09 [TomCarrol]
- Glen: the rewording will worded along the lines of "every one can play".
- 08:14:01 [Daniel]
- I am willing to give gound on this one, up to the point where we *require* UML to be used
- 08:14:01 [TomCarrol]
- Chris: anyother low hanging fruit????????
- 08:14:03 [soliton]
- where, in most cases you can specify the messaging
- 08:14:11 [MChapman]
- wots messaging to do with architcture
- 08:14:18 [soliton]
- note that I said "where applicable"
- 08:14:19 [TomCarrol]
- Zula: did we dicuss 21??????
- 08:14:26 [Daniel]
- architecture us *all* about messaging
- 08:14:33 [Daniel]
- us = is sorry
- 08:14:54 [soliton]
- I don't quite agree on that one.
- 08:15:22 [soliton]
- problem partitoning and use cases are also large part
- 08:15:35 [jeffm]
- Daniel: will you allow UML to be used if someone wants to use it in a spec?
- 08:15:41 [Daniel]
- sure
- 08:15:53 [Daniel]
- so long as it is not *required*
- 08:16:21 [MChapman]
- it ceratinly should mean anything w.r.t conformance
- 08:16:23 [MChapman]
- should not i mean
- 08:16:31 [soliton]
- did the word "should" qualify as your not *required* ?
- 08:16:39 [jeffm]
- I think you're trying to stand up in front of tidal wave, but that's your choice
- 08:16:43 [MChapman]
- yes sorry fingers to fast
- 08:16:49 [Daniel]
- I'll go for "may"
- 08:17:21 [soliton]
- I guess we can have a vote on the choice here.
- 08:17:26 [TomCarrol]
- DaveO: He and Hugo discussed the XML schema (10.1) issue and found the usage of "should' would be acceptable.
- 08:18:05 [Daniel]
- as Jon Bosak would say (about UML) "I want my data back"
- 08:18:15 [soliton]
- how come 10.1 is not in the editor's copy?
- 08:18:21 [Daniel]
- the business comics are not data, pictures are not data
- 08:18:29 [dougb]
- because it's underneath 011
- 08:18:44 [MChapman]
- pictures say a 1000 words:)
- 08:18:44 [soliton]
- thanks, dougb
- 08:18:55 [soliton]
- totally agree with MChapman
- 08:19:01 [jeffm]
- I've seen these fights about requiring UML in other forums. What I've observed is that eventually everything starts showing up as UML, and pretty soon it becomes established in the culture. To the point where discussions of whether to make it mandatory or not becomes irrelvant.
- 08:19:01 [Daniel]
- yeah but you can't get your 1K words back
- 08:19:34 [Daniel]
- actually Jeff, I'm pushing it hard in my org.
- 08:19:35 [Daniel]
- for the software devs
- 08:19:56 [GlenD]
- Proposed rewording of D-AC005.15:
- 08:20:02 [GlenD]
- It shall follow the principles of well-modularized design to allow both extremely simple and more complex participants in Web Service interactions.
- 08:20:46 [omh]
- that appears to work ok...
- 08:20:57 [jeffm]
- Sure, like all new shiny "cool" toys (...err I mean tools ;-) people start trying to use it for everything. Eventually they settle down, and stop using the pliers to bang in nails (except when they've lost their hammer.)
- 08:22:40 [Heather]
- where are the 'principles of well-modularized design found'?
- 08:22:42 [Daniel]
- rephrase of Geln's proposal: "It will follow the principles of modularized design in order to allow interactions at different levels of complexity among Web Services"
- 08:23:27 [Daniel]
- You can read them here Heather: http://www.w3.org/TR/xhtml-m12n-schema/
- 08:23:47 [TomCarrol]
- Resolution AC0010.1 accepted
- 08:23:48 [Daniel]
- Jeff: I agree
- 08:23:48 [chris]
- resolved: glen resolved: AC010.1 Each new architectural area that has a representation SHOULD be normatively defined using XMLSchema
- 08:23:48 [Heather]
- the interactions are simple->complex... not the participants, right?
- 08:24:19 [soliton]
- I like Daniel's rewording.
- 08:24:26 [Daniel]
- right
- 08:26:17 [Heather]
- how about 'in order to allow both simple and complex interactions with Web Services'
- 08:26:23 [GlenD]
- +1 to Daniel's rewording.
- 08:26:51 [GlenD]
- Heather: I don't think that's general enough
- 08:26:52 [Heather]
- but the participants are not always web services... so among web services doesn't seem right...
- 08:27:16 [soliton]
- the complexity is about interactions, bot participants
- 08:27:29 [GlenD]
- By "participants" I was trying to get at the idea that you can build simple or complex programs to do simple or complex interactions...
- 08:27:40 [TomCarrol]
- Comments on D-AR011.1
- 08:27:49 [GlenD]
- i.e. both design and runtime have a smooth spectrum of complexity if we do this right
- 08:27:53 [Heather]
- so... complexity is about participants?????
- 08:27:55 [soliton]
- so i'd stick with Danel's wording.
- 08:28:11 [Roger]
- Roger has joined #ws-arch
- 08:28:12 [Daniel]
- we could change "among" -> "with"
- 08:28:19 [GlenD]
- Or we can be more explicit
- 08:28:28 [Heather]
- daniel's applies to complex interactions... not participants
- 08:28:51 [TomCarrol]
- DaveO: The process takes care of this requirement.
- 08:29:10 [GlenD]
- "It will follow the principles of modularized design in order to allow programs and web service interactions to smoothly scale in complexity."
- 08:29:26 [Heather]
- i can live with this as daniel has it with 'among'->'with'
- 08:29:27 [soliton]
- not as good as the previous one
- 08:29:32 [TomCarrol]
- Resolved D-AR011.1 removed
- 08:29:32 [Heather]
- not a lie down in the road
- 08:29:37 [chris]
- resolved: d-ac011.1 removed
- 08:29:49 [Daniel]
- whoohoo break time!
- 08:29:51 [soliton]
- word such as smoothly will only cause confusing
- 08:30:07 [Daniel]
- *participants retreat to their corners, breathing hard*
- 08:30:27 [Heather]
- :-)
- 08:30:29 [soliton]
- round 2 will start in 15 mintures
- 08:30:44 [Heather]
- i'm just going to close my eyes for one minute....
- 08:30:47 [TomCarrol]
- After the break the draft out line of the Arch. Doc
- 08:31:11 [omh]
- see you in 4 hours then heather :)
- 08:31:19 [Heather]
- :-)
- 08:31:20 [Daniel]
- lol
- 08:31:58 [chris]
- 20 minute break
- 08:36:07 [Roger]
- Roger has joined #ws-arch
- 08:37:05 [dbooth]
- dbooth has joined #ws-arch
- 08:46:07 [GlenD]
- "It will follow the principles of modularized design in order to allow interactions with Web Services at different levels of complexity"
- 08:46:25 [GlenD]
- That's my final offer. :)
- 08:46:42 [jdmunter]
- jdmunter has joined #ws-arch
- 08:47:06 [joe]
- joe has joined #WS-ARCH
- 08:47:38 [David]
- David has joined #ws-arch
- 08:47:44 [joe]
- Hello wsa world!
- 04:45 [David]
- I've finally got the editors draft of the arch document on the site. It's at http://www.w3.org/2002/ws/arch/2/wd-wsawg-arch-06132002.html
- 04:45 [David]
- the "wd" is actually incorrect, it's an editors draft
- 04:50 [David]
- ok, reload the doc if you have already loaded as I updated the conceptualmodel.jpg based upon eric's updates.
- 04:52 [Daniel]
- did Heather go off to sheep-land?
- 04:52 [chris]
- okay, we're baaaack
- 04:52 [Heather]
- i'm back
- 04:52 [Heather]
- barely
- 04:52 [Daniel]
- you're a trooper anyway
- 04:52 [soliton]
- where is the jpg?
- 04:53 [David]
- soliton, it's referenced in the arch document
- 04:54 [soliton]
- oh, i see.
- 04:55 [soliton]
- what is the url for the arch doc?
- 04:56 [Heather]
- we always saw QOS as a vertical like management and security
- 04:56 [soliton]
- agree with heather
- 04:56 [Daniel]
- hey Heather - you are from IBM, aren't you supposed to say "seperation of concerns"?
- 04:57 [hugo]
- Document discussed: http://www.w3.org/2002/ws/arch/2/wd-wsawg-arch-06132002.html
- 04:57 [David]
- lol
- 04:58 [Heather]
- i may just be sleepy... but having qos as a verticle does allow us to do something appropriate (and perhaps orthogonal) at each layer of the stack...
- 04:58 [David]
- Heather, I've got RAS still imprinted on my forehead...
- 04:58 [Heather]
- :-)
- 04:58 [David]
- Heather, we're not *quite* talking about the diag yet...
- 04:58 [Daniel]
- Roger: you can get the xmlspec.xsl at: http://dev.w3.org/cvsweb/spec-prod/html/xmlspec.xsl
- 05:01 [Heather]
- ok... I'll wait my turn
- 05:01 [chris]
- we're on the conceptual model diag now
- 05:02 [Heather]
- can someone capture the gist of the conversation for me???
- 05:02 [chris]
- now we're on system diag
- 05:03 [chris]
- david is describing intent of these diags
- 05:03 [chris]
- conceptual model is to basically identify the related concepts
- 05:03 [TomCarrol]
- We are now on the the stack diagram
- 05:04 [chris]
- sect 1.3 overview (stack diag for starters)
- 05:04 [Heather]
- I don't understand the caching block in this context...
- 05:05 [TomCarrol]
- We are now on 2.3 Security
- 05:08 [Heather]
- the bottom blocks are specs?
- 05:08 [TomCarrol]
- Zula: What process are we going to use in completing this document????
- 05:08 [Heather]
- pionted to by the concepts?
- 05:09 [TomCarrol]
- Chris: the process will be; the editors will propose and then request input and revision from the group, in increasing levels of detail.
- 05:10 [TomCarrol]
- Chris: there should be frequent snap shots.
- 05:10 [Heather]
- Can group members propose things to the editors?
- 05:10 [dougb]
- Heather, we're not ignoring your comments. We are however discussing things at a significantly higher level at the moment. I'm sure we'll come back to the details / diagrams soon.
- 05:11 [TomCarrol]
- Zula: What role do the CSF play within the arch doc?
- 05:11 [TomCarrol]
- Zula: particulary the models (ie security model)
- 05:13 [TomCarrol]
- DaveO: Security is every where that is why the security Bar is represented as it is in the conceptual model(1.1)
- 05:15 [jdmunter]
- wrt to process, I propose that we are all contributors. Along with commenting on content already there, I should be able to send my initial suggestions to the editors for inclusion also.
- 05:16 [Daniel]
- I agree Joel
- 05:16 [TomCarrol]
- We are now refering to the outline and how various topics breakout.
- 05:16 [Heather]
- me too
- 05:16 [chris]
- q+ joe jeff
- 05:16 [chris]
- q+ joe jeff
- 05:17 [chris]
- ack joe
- 05:17 [TomCarrol]
- Joe: Conceptual diagram how would you like feedback the list???
- 05:18 [TomCarrol]
- Chris: in general no the more specific issues should go to the list.
- 05:18 [chris]
- joe: security should extend to transport
- 05:18 [TomCarrol]
- Joe: would like to see security extend into the transport.
- 05:19 [chris]
- q+ zulah davidb
- 05:19 [TomCarrol]
- DaveO: What do you think of the Doc???
- 05:19 [Heather]
- which part are we reviewing specifically right now
- 05:19 [David]
- Heather, reviewing the outline and structure...
- 05:21 [TomCarrol]
- Chris: Specifics go to the list, the goal now is to get agreement on the generalities.
- 05:21 [Heather]
- in ibm we broke the wire stack into 3 'generic' topics: transport, packaging, extensions....
- 05:21 [Heather]
- then we discuss soap in packaging
- 05:21 [Heather]
- and headers in extensions
- 05:22 [Heather]
- would this sort of organization help here?
- 05:23 [chris]
- q+ allen heather
- 05:24 [TomCarrol]
- JeffM: where is the web service?
- 05:25 [TomCarrol]
- JeffM: How do these relate to the web Service?
- 05:25 [TomCarrol]
- JeffM: How do the thing in the document relate to the web service?
- 05:26 [TomCarrol]
- DaveO: Lets drill down on jeffMs point.
- 05:27 [TomCarrol]
- JeffM: how much work is this group going to verses say security wg???
- 05:27 [TomCarrol]
- Zula: Where the life cycle and conceptual model about services?
- 05:28 [chris]
- ack zulah
- 05:28 [chris]
- ack davidb
- 05:28 [chris]
- ack jeff
- 05:28 [soliton]
- can I be on the queue?
- 05:28 [chris]
- ack allen
- 05:29 [soliton]
- queue+
- 05:29 [jdmunter]
- q+
- 05:29 [chris]
- q+ daniel
- 05:29 [TomCarrol]
- AllenBr: Security reachs through the depths as does reliability.
- 05:29 [jdmunter]
- q-
- 05:29 [chris]
- ack heather
- 05:30 [Heather]
- see my earlier remarks on organizing around generic concepts in the wire stack
- 05:30 [TomCarrol]
- AllenBr: anything that has end to end could be vertical
- 05:30 [chris]
- ack soliton
- 05:30 [Heather]
- transport/packaging/extensions...
- 05:30 [dbooth]
- heather, would you mind putting your comments directly into this IRC channel?
- 05:30 [Heather]
- I am, aren't I?
- 05:31 [dbooth]
- oh, sorry, I see it was earlier.
- 05:31 [chris]
- tomc relayed your previously posted comments
- 05:31 [chris]
- ack daniel
- 05:31 [TomCarrol]
- Soliton: The doc should have the high level concerns and there relationships
- 05:33 [TomCarrol]
- Daniel: the "ilities" are all vertical and are broke out by domain and there are a number of them
- 05:33 [soliton]
- hi, Daniel, can you also put my top level concerns on the flip chart?
- 05:33 [TomCarrol]
- DaveB: the doc is a good start but the diagram does not work for me.
- 05:34 [dbooth]
- s/does not work/does not have any meaning/
- 05:35 [soliton]
- agree with DaveB
- 05:37 [TomCarrol]
- chris: What are the characteristics of a web service?
- 05:37 [TomCarrol]
- Daniel: What is the meta model??
- 05:38 [TomCarrol]
- Mike: XMl/semantic web is the whole box (conceptual model)/?
- 05:41 [TomCarrol]
- Mike: We might want to group the ilities together?
- 05:41 [dbooth]
- q+
- 05:44 [TomCarrol]
- Daniel: why does the doc talk about the semantic web?
- 05:44 [Daniel]
- Daniel notes in passing that the diagram needs to have 'semantic web' removed. this is road-recumbent issue
- 05:44 [TomCarrol]
- Chris: that question can be discussed when the author is present.
- 05:45 [TomCarrol]
- DaveO: what are the features that support the creation of a web service?
- 05:45 [soliton]
- top level concerns: Interoperability,Reliability, Management, Web-friendly, Security
- 05:46 [soliton]
- Scalability and Extensibility
- 05:46 [Daniel]
- +extensibility
- 05:46 [Daniel]
- +scalability
- 05:46 [Daniel]
- LOL Zakim is an electronic moron
- 05:50 [soliton]
- from the TLCs, we can see the merge of two important components: Management and security
- 05:52 [TomCarrol]
- davidB: What is the universe? what is this thing? where does this thing fit in the universe?
- 05:52 [GlenD]
- Just in time for the easy questions, Paul!
- 05:53 [soliton]
- the universe starts from the big bang.
- 05:53 [Heather]
- now we are boiling the universe... thats even worse than the ocean
- 05:53 [Daniel]
- ROFL Heather
- 05:53 [soliton]
- what is LOL?
- 05:53 [Heather]
- laugh out loud
- 05:53 [dougb]
- laughing out loud
- 05:54 [TomCarrol]
- Glen: Are we trying to answer the distributed computing question?
- 05:54 [dbooth]
- Soliton, see: http://searchwebmanagement.techtarget.com/sDefinition/0,,sid27_gci211776,00.html
- 05:55 [TomCarrol]
- Daniel: Web services are a sub set of Dist. Computing.
- 05:56 [Heather]
- we must certainly answer a lot of questions related to distributed computing at any rate....
- 05:56 [soliton]
- THX, DB
- 05:57 [jdmunter]
- I add a "+1" to heather's latest comment
- 06:00 [Heather]
- tom.. whats going on...
- 06:01 [TomCarrol]
- The discussion is revolving around the relationship between the web and web services
- 06:02 [TomCarrol]
- specificly the scope the web services context
- 06:02 [TomCarrol]
- Glen is taking about node interacting using infosets
- 06:03 [TomCarrol]
- Heather: Does that help?
- 06:04 [Heather]
- yes (watching a silent irc is hard at 6am :-) )
- 06:04 [TomCarrol]
- Sorry, unskilled scribe
- 06:05 [Daniel]
- Martin says we should levelrage Corba-like ideas for WS as well as web ideas
- 06:05 [Heather]
- what is the gist of glen's point? that web services are nodes interacting using infosets? or that the web is?
- 06:05 [Daniel]
- leverage even
- 06:05 [Heather]
- i agree w/ martin...
- 06:05 [Daniel]
- so do I...seems everyone does
- 06:08 [TomCarrol]
- Daniel: Web services is a layer on the web stack
- 06:09 [Heather]
- we should allow for the chance that web services will modify/expand existing layers of the web stack
- 06:09 [dougb]
- Heather, the web versus web services discussion continues. Possibilities such as 'web services are a subset of the web', 'bringing COM/CORBA to the web', 'adding useful concepts from COM/CORBA to the web',...
- 06:09 [Heather]
- we are adding new functionality to the web... it is possible that it won't cleanly layer
- 06:10 [TomCarrol]
- JeffM: the problem space faced by Main frame application domain 20 years ago is similar to the one we face now.
- 06:10 [Daniel]
- heather, that is just what I said :)
- 06:11 [Heather]
- dougb... add web services are a superset of the web t the mix
- 06:13 [dougb]
- another idea suggested in the room: looking at mistakes / problems from earlier attempts to solve distributed computing and attempting to avoid same
- 06:13 [Daniel]
- dit's clear that COM's problem was/is that it is proprietary
- 06:14 [Daniel]
- CORBA's problem was that it added too much complexity
- 06:14 [Daniel]
- and still didn't work right
- 06:15 [Daniel]
- we need to avoid either overengineering the environment or making it so complex it is overexpensive
- 06:15 [Heather]
- those could be the morals of the distributed computing fables.... but I'm sure there are MANY other lessons learned from our collective experience with distribted systems
- 06:16 [Daniel]
- true heather...but I only have a single line interface to describe them! :)
- 06:16 [Daniel]
- *the margins of IRC are too small to contain my solutions!*
- 06:16 [omh]
- Hmm - CORBA was not really complex - major issues were the connected nature of the interactions and the requirement for client libraries...
- 06:17 [soliton]
- loose coupling, loose coupling and loose coupling
- 06:17 [Heather]
- avoiding overengineering is a noble goal
- 06:17 [soliton]
- perfer messaging over RPC
- 06:17 [Heather]
- catching the 80% first with simple approaches
- 06:17 [hugo]
- q+ roger martin david
- 06:17 [Daniel]
- q+ roger, martin, davidb
- 06:18 [jeffm]
- messaging and RPC are equivalent
- 06:18 [hugo]
- q= Dbooth, Roger, Martin, David
- 06:18 [dougb]
- we've got a sheet containing a few other lessons: general issue described is 'end to end stuff addressed up front' with security, versioning and reliability as subtopics.
- 06:18 [jeffm]
- the difference is in the failure modes and when failure occurs
- 06:18 [Daniel]
- Jeff: no, RPC is just one kind of messaging, a subset
- 06:18 [dougb]
- solitron's point about loose (versus tight) coupling also appears
- 06:18 [David]
- DaveO Comment: architecture groups often fail because of not solving immediate problems...
- 06:18 [Daniel]
- not equivalent
- 06:18 [TomCarrol]
- DaveO: Past problem.. Trying to consider everything up front.
- 06:18 [soliton]
- agree with Daniel
- 06:19 [Daniel]
- DaveO is talking about the "Big Design Up Front" problem
- 06:19 [Zakim]
- hugo, if you meant to query the queue, please say 'q?'; if you meant to replace the queue, please say 'queue= ...'
- 06:19 [Daniel]
- iteration addresses this
- 06:19 [soliton]
- ok, iterational design
- 06:19 [jeffm]
- I can sort of agree. Except I *think* I can describe/implement everything a "messaging system" via an RPC system. And vice versa.
- 06:19 [Daniel]
- in an unknown problem domain, BDUF will not work
- 06:20 [soliton]
- that is true jeffm, you can alwasy do anything with 0 and 1
- 06:20 [jeffm]
- ok, ok - turing machines rule!
- 06:20 [TomCarrol]
- Martin: the real problem is ensuring all the security hooks are in each level
- 06:21 [soliton]
- but the point here is that an extensible messaging is better than strict RPC
- 06:21 [MChapman]
- do all of us on here pass the turing test:-)
- 06:21 [dougb]
- does Zakim?
- 06:21 [Daniel]
- not me, everyone thinks I am a col-dblooded architectural machine! :)
- 06:21 [Heather]
- but there are some messaging patterns that are hard for rpc to deal with...
- 06:22 [soliton]
- from other people's point of view, we all sound like machines
- 06:22 [Heather]
- mutliple output response messages...
- 06:22 [dbooth]
- zakim, do you pass the turing test?
- 06:22 [Zakim]
- I don't understand your question, dbooth.
- 06:22 [TomCarrol]
- DaveO: Are we going to run the group a by taking the union of the group or by taking the intersection of the group will all for more meaningfull work
- 06:22 [soliton]
- hi, zakim, do you have feeling?
- 06:23 [soliton]
- apperantly, zakim fails the test.
- 06:23 [jeffm]
- With "extensible messaging" (isn't all messaging "extensible") there are really only 2 operations (aka RPCs) get(bag of bytes) and send(bag of bytes)
- 06:23 [Heather]
- apparently it does, you have insulted it and its not talking to you
- 06:23 [dougb]
- zakim, do you have feeling?
- 06:23 [Zakim]
- I don't understand your question, dougb.
- 06:23 [jeffm]
- The system is designed so that essentially get and send never fail.
- 06:24 [TomCarrol]
- DaveO: Are we going to run the group a by taking the union of the group or by taking the intersection of the group will allow for more meaningfull work
- 06:24 [Daniel]
- lunchtime...saved by the bell
- 06:24 [jeffm]
- Instead the failure occurs when you try to interpret a bag of bytes that you've never seen before and have no idea what to do with it
- 07:56 [hugo]
- Meeting resumed
- 07:57 [Roger]
- dbooth, take a look at http://www.opencyc.org
- 07:58 [dbooth]
- Roger, here is the TAP site, the project at Stanford that has the demo of a semantic search: http://search.alpiri.com/wsi-bin/flek.wsp/tap?term=boston&method=search&locate=1&btnG=Search
- 07:58 [TomCarrol]
- Review of the Glossary
- 07:59 [Heather]
- ok I'm ready
- 07:59 [Heather]
- anyone else out there remote from the F2F?
- 08:00 [zulah]
- Tom, I can't take notes due to poor connection over here. Will fix and then take over
- 08:01 [Eric]
- I'm remote
- 08:01 [mchampion]
- I'm remote
- 08:01 [Eric]
- I've dialed into the concall number but it says I'm the only one on it
- 08:01 [quit]
- tom, I can take over with notes. WOuld you like this?
- 08:02 [Heather]
- the phone in the room does not work
- 08:02 [Heather]
- as far as i know there isn't any phone support... just IRC
- 08:02 [TomCarrol]
- AllenBr: The glossary only contains the lexicon and as the document goes foward what structure should the glossary have? where do we draw the boundries of the document? ihow are the ilities incorporated into the glossary?
- 08:02 [Heather]
- so we are at their mercy for details...
- 08:02 [Dave]
- zakim, Dave is DaveO
- 08:02 [Zakim]
- sorry, Dave, I do not recognize a party named 'Dave'
- 08:02 [Dave]
- zakim, Dave is known as DaveO
- 08:02 [Zakim]
- I don't understand 'Dave is known as DaveO', Dave. Try /msg Zakim help
- 08:03 [Dave]
- zakim help
- 08:03 [TomCarrol]
- Daniel: are we going to share this glosary with the rest of the web services activity?
- 08:03 [Dave]
- sigh
- 08:04 [dbooth]
- zakim, help
- 08:04 [Zakim]
- Please refer to http://www.w3.org/2001/12/zakim-irc-bot for more detailed help.
- 08:04 [Zakim]
- Some of the commands I know are:
- 08:04 [Zakim]
- xxx is yyy - establish yyy as the name of unknown party xxx
- 08:04 [Zakim]
- if yyy is 'me' or 'I', your nick is substituted
- 08:04 [Zakim]
- xxx may be yyy - establish yyy as possibly the name of unknown party xxx
- 08:04 [Zakim]
- I am xxx - establish your nick as the name of unknown party xxx
- 08:04 [Zakim]
- xxx holds yyy [, zzz ...] - establish xxx as a group name and yyy, etc. as participants within that group
- 08:04 [Zakim]
- xxx also holds yyy - add yyy to the list of participants in group xxx
- 08:04 [Zakim]
- who's here? - lists the participants on the phone
- 08:04 [Zakim]
- who's muted? - lists the participants who are muted
- 08:04 [Zakim]
- mute xxx - mutes party xxx (such that 60# will not work)
- 08:04 [Zakim]
- unmute xxx - reverses the effect of "mute" and of 61#
- 08:04 [Zakim]
- is xxx here? - reports whether a party named like xxx is present
- 08:04 [Zakim]
- list conferences - reports the active conferences
- 08:04 [Zakim]
- this is xxx - associates this channel with conference xxx
- 08:04 [Zakim]
- excuse us - disconnects from the irc channel
- 08:04 [Zakim]
- I last learned something new on $Date: 2002/06/14 12:43:57 $
- 08:04 [Dave]
- zakim, I am DaveO
- 08:04 [Zakim]
- sorry, Dave, I do not see a party named 'DaveO'
- 08:04 [hugo]
- Dave, try /nick DaveO
- 08:05 [TomCarrol]
- Chris: there is no cononical way to organize the glossary?
- 08:05 [mchampion]
- Open the pod bay door, Zakim ... I can't do that Dave, you're planning to unplug me :-)
- 08:05 [DaveO]
- wahoo
- 08:05 [hugo]
- Zakim, only knows about people connected to the phone bridge
- 08:05 [Zakim]
- I don't understand 'only knows about people connected to the phone bridge', hugo. Try /msg Zakim help
- 08:06 [DaveO]
- *double sigh*
- 08:06 [scribe]
- Chris: how self contained is this document (what is the scope of the glossary).
- 08:10 [zulah]
- Tom, would you like me to take over scribing now? I seem to have my connect problems fixed.
- 08:11 [scribe]
- What do we do with terms that have multiple definitions?
- 08:12 [scribe]
- Allen: Each definition must be able to reference the author.
- 08:13 [scribe]
- Joe: Once the term is in the glossary. the term would then be reserved.
- 08:14 [Heather]
- words in dictionaries have multiple meanings in differnet context's, wouldn't that be true for glossarys as well?
- 08:14 [scribe]
- Joel: The glossary should have as much detail to clearly identify the definition of the term given its context.
- 08:15 [scribe]
- Chris: a singular glossary provides single reference point for the associated working groups.
- 08:16 [scribe]
- Roger: is the keeping one glossary feasible? given the differences between the working groups.
- 08:16 [Heather]
- i would think it would be feasible and NECESSARY within the web services activity
- 08:17 [scribe]
- DavidB: Multiple definitions are possible and may be necesary. It the nmultiple def. case the context must be defined.
- 08:17 [Heather]
- agreed
- 08:18 [chris]
- source, context, owner/authorship, multiple definitions allowed, but not preferred
- 08:18 [Roger]
- Heather - look at "Service" in the existing glossary.
- 08:18 [dbooth]
- Another term for "context" is "field of use"
- 08:18 [Heather]
- i'm looking at Service...
- 08:18 [Heather]
- it says 'collection of endpoints'
- 08:18 [Roger]
- There are two.
- 08:19 [scribe]
- Chris: comments on the glossary should go to the list along with additions.
- 08:19 [Heather]
- it would help if this were in alphabetical order
- 08:19 [scribe]
- AllenBr: Please provide sources with your additions.
- 08:20 [Roger]
- Stylesheets are envisaged yielding different organizations.
- 08:20 [dbooth]
- Heather, Allen said he can generate aphabetical in the next pass.
- 08:20 [Heather]
- so there are 3 definitions for service... 2 in that one and 1 on the first page
- 08:21 [Heather]
- thankyou allen
- 08:22 [Roger]
- I just thought that they were amazingly different.
- 08:22 [scribe]
- We are now talking about WS security working group
- 08:22 [Heather]
- how are we reviewing the glossary? Term by term?
- 08:23 [scribe]
- chris: How big is the WS security WG? what do we need to see in the group?
- 08:23 [scribe]
- Joe: Lets start with the requirements that we already have.
- 08:24 [scribe]
- Glen: We should be framing the security problem.
- 08:24 [zulah]
- I am scribe
- 08:24 [zulah]
- zakim, I am scribe
- 08:24 [Zakim]
- sorry, zulah, I do not see a party named 'scribe'
- 08:25 [scribe]
- Chris: the question is, do we see a ws working group as the working group that solves world hunger for mankind or a specific targeted focused WG?
- 08:25 [DaveO]
- q+
- 08:25 [scribe]
- Chris: somewhere between the two extremes?
- 08:25 [Daniel]
- q+ daniel
- 08:25 [jeffm]
- q+ jeffm
- 08:25 [Roger]
- q+
- 08:25 [Heather]
- q+ heather
- 08:26 [scribe]
- DaveO: I made a pitch in email about what a rough starting set of requirements would be.
- 08:26 [joe]
- q+
- 08:26 [scribe]
- DaveO: Let's have a security group talk about a framework, details of a trust model, task it with specific technological soluntions to authentication, integrity
- 08:26 [scribe]
- DaveO: encryption
- 08:27 [scribe]
- DaveO: knowing that there are others (e.g., Authorization, non repudiation),
- 08:27 [scribe]
- DaveO: This is a starting point pitch
- 08:27 [mchapman]
- q+
- 08:27 [scribe]
- Daniel: Just in terms of the scope the ideas are good. We should confine the cope to not include world hunger. Confine it to security problems specific to WS architecture.
- 08:28 [scribe]
- Daniel: Confine the scope as much as we can. Take advantage of others work
- 08:28 [scribe]
- Chris: Just as a baseline, the WS activity is not charter to go beyond the bounds of WS
- 08:28 [scribe]
- Chris: So you are saying not world hunger even for web services?
- 08:28 [scribe]
- Daniel: yes
- 08:29 [tomCarrol]
- q+
- 08:29 [scribe]
- JeffM: We have requirements, we should pick a subset of generally useful requirements (relevant subset)
- 08:29 [scribe]
- JeffM: pick pieces and fill in terra incognito. Whatever set of requirements that we choose it must address and end to end case.
- 08:30 [scribe]
- JeffM: it doesn't have to be all cases but one in depth
- 08:30 [scribe]
- Roger: question? is there another axis? On one extremem you make up new languages and syntaxes, on the other there are existing solns. with recommednations on how to put them together.
- 08:30 [scribe]
- Roger: Which is our job?
- 08:30 [DaveO]
- q+
- 08:31 [scribe]
- Chris: In making our recommendation we have the option to propose putting pieces together or additions, changes
- 08:31 [scribe]
- Roger: No, will this group in the process of creating the architecture specify which pieces to make security work (specifically).
- 08:31 [scribe]
- Chris: we cannot dictate soln. We can provide baseline.
- 08:32 [scribe]
- Roger: No, will there be components of security solutions in the architecture?
- 08:32 [Daniel]
- q+ Allen
- 08:33 [scribe]
- Roger: DaveO: Say we decide that we should have auser name/password for authentication then we will say this in architecture and charter.
- 08:33 [scribe]
- DaveO: If a WG tells us that we a re wrong, we will fix it in the document.
- 08:33 [scribe]
- Roger: If I am trying to implement WS and I use the arch document, will there be any answers in there for how I implement security?
- 08:34 [scribe]
- Joe: General guidelines but more specific will come from security group.
- 08:34 [scribe]
- Glen: In other words, not really just like we don't say specific things about implementing transactions.
- 08:34 [scribe]
- Chris: But we can provide starting points (e.g., XML digital signatures exists, use it).
- 08:35 [scribe]
- DaveO: What I think is being asked is what is the authority of the arch group in binding things? So if we say use Dig sign. is this authorotative.
- 08:35 [scribe]
- Chris: At best we can influence.
- 08:35 [Daniel]
- Heather you're up
- 08:36 [Heather]
- k
- 08:36 [hugo]
- I think that it depends on how our recommendations are phrased
- 08:36 [Heather]
- I'm a little nervous about giving a new security wg carte blanche to develop a new security framework
- 08:36 [Heather]
- it smacks of architecture groups having baby architecture groups
- 08:37 [Heather]
- should we provide a 'broad framework' as part of our work
- 08:37 [Heather]
- leaving them to figure out how to implement those components w/ existing specs and new specs?
- 08:37 [scribe]
- Joe: Would like to help move the process along by returning to the six items from the requirements doc. 1) authentication, integrity, encryption, 2) authorization, 3) NR, 4) accessibility (DOS), 5) rest of the stuff in CSF and requirements. He suggests that this is the prioritization.
- 08:37 [Heather]
- ok.. thats it
- 08:38 [scribe]
- DaveO: I agree
- 08:38 [tomCarrol]
- +1 on the framework
- 08:39 [Roger]
- Heather, what did you mean by
- 08:39 [jeffm]
- heather, you're stuff is up on the board
- 08:39 [scribe]
- DaveO: I think that heather is getting at the fact that the framework has to have some detail to provide constraints. We are not writing a blank check.
- 08:39 [Roger]
- "OK, that's it".
- 08:39 [jeffm]
- s/you're/your
- 08:39 [chris]
- q?
- 08:39 [chris]
- ack heather, joe
- 08:39 [Heather]
- by 'ok thats it' i meant </Heather>
- 08:39 [scribe]
- Joe: We need to supply detail? Yes because this lends credibility>
- 08:39 [Heather]
- or end of tirade
- 08:39 [Roger]
- Thanx.
- 08:40 [scribe]
- TomC: I was wondering if when we send a WG off to work, are we also going to privide a well defined process for making changes back into the architecture
- 08:40 [tomCarrol]
- Mchapman your up
- 08:41 [Daniel]
- q+
- 08:41 [scribe]
- Summary: We own framework, set context, but offer a process for feedback into changing the architecture.
- 08:41 [scribe]
- Martin: Question is, when we charter the security group, do we pre-phase them or only charter them for a specific phase?
- 08:42 [tomCarrol]
- q- TomCarrol
- 08:42 [scribe]
- Daniel: this is how SOAP works today.
- 08:42 [scribe]
- Summary: One working group with phasing (or re-chartering for each phase).
- 08:42 [scribe]
- Martin: So what we should be debating is phase 1
- 08:42 [chris]
- ack tomcarrol, mchapman
- 08:43 [Heather]
- +1 for rechartering for phases
- 08:43 [dougb]
- q+
- 08:43 [scribe]
- OIsio: Point of process, needs to be some life after wreck process so that there is some formal manner to make changes.
- 08:43 [chris]
- ack daveo
- 08:44 [scribe]
- DaveO: How convenient. I asked TBL how ammenable the director is to us rechartering in mid flight. HE said go for it, no blank check but time to market is important. I interpret this as a broad endorsment to get this stuff out there.
- 08:45 [chris]
- ack allen
- 08:45 [scribe]
- DaveO:No change to the process document. Its the willingness of the AC.
- 08:45 [joe]
- q+
- 08:46 [scribe]
- DaveO: Process does not mean that we have to do things slowly
- 08:46 [scribe]
- AllanB: There is another kind of structuering that comes from the overall architecture. YOu can imagine doing security at the messaging level. You can imagine role security at the orchestration level. These offer a basis for constraining what kinds of things are considered in each phase.
- 08:47 [scribe]
- AllenB: So phase 1 could be messaging security.
- 08:47 [jeffm]
- q+
- 08:47 [chris]
- ack daniel
- 08:47 [scribe]
- Joe: Good point. For his priorities, these can be done in multiple ways: messaging, etc.
- 08:48 [Heather]
- define messaging security for me...
- 08:48 [GlenD]
- security on a per-message basis
- 08:48 [scribe]
- AllenB: So there is more than one dimension to this and we can look at the matrix and determine what we want to fill in.
- 08:48 [GlenD]
- as opposed to securing a channel (ssl)
- 08:49 [chris]
- ack dougb
- 08:49 [Heather]
- could also match phase.... define their phase one in corresspondence with our phase one
- 08:49 [mchapman]
- q+
- 08:49 [GlenD]
- phase-locked groups
- 08:49 [scribe]
- Daniel: following martins earlier suggestion that we iterate on phases. We should pick the highest priority probelms and ask the security group to address them in the first pass (and so on). Dave has identified the high priority items. We should phase as probelm in priority (as opposed to as solutnions).
- 08:50 [DaveO]
- I think Allen proposed that there is another aspect of security, that there are the styles of security: message, connection, role based (e.g. for orchestration)
- 08:50 [scribe]
- DougB: Have the security WG recognize the boxes that we provide them mapped to existing standards. Is that our job or some WGs job?
- 08:50 [scribe]
- DaveO: Great.
- 08:51 [scribe]
- DougB: Does the security group recognize existing standards and fill them intoboxes or does the arch team do this (clarifiation)
- 08:51 [chris]
- q?
- 08:51 [scribe]
- DaveO: this came up on the tag. They felt that it was disirable for the arch group to provide details in fleshing out the scope of the box.
- 08:52 [scribe]
- Chris: Again, all we can do is hope to influence.
- 08:52 [scribe]
- Joe: Are we going to do the threat model in WSA or by the new WG?
- 08:53 [dougb]
- higher level question Joe and I are getting at: Are we writing the security portions of our architecture document (referencing existing standards and the threat model) or is the Security WG doing that?
- 08:54 [scribe]
- Chris: The order of the requirements document did not imply that we had prioritized.
- 08:54 [Heather]
- if we are going to lay out the high level framework and boxes, we may have do some level of threat model
- 08:54 [chris]
- ack joe
- 08:54 [chris]
- ack jeffm
- 08:55 [scribe]
- JeffM: As part of this discussion, will we consider the end to end case. Pick a couple of scenarios as examples and do the analysys so that we scope this by end-to-end for specific technologies as opposed to just stating messaging security.
- 08:55 [scribe]
- Chris: Did you mean use cases?
- 08:55 [scribe]
- JeffM: yes, the high level ones.
- 08:55 [DaveO]
- lol
- 08:56 [chris]
- ack mchapman
- 08:56 [Daniel]
- Dave loved that :)O
- 08:56 [Heather]
- :-)
- 08:56 [scribe]
- martin: even though we work at the same company ;) I want to really support this. Working solutions are importnat...
- 08:57 [scribe]
- Chris: in our current scenarios we describe stack type stuff. Are you going vertical or horizontal?
- 08:57 [Daniel]
- Dave and I used to be friends! that was back in XML-CORE days tho
- 08:57 [Daniel]
- LOL
- 08:57 [scribe]
- Martin: All the way down and then back up again.
- 08:58 [scribe]
- Jeffm: When some people think end-to-end they think multiple hops, routing, etc. and that's not what I mean. What I mean is that whatever use case we pick, we do it end-to-end.
- 08:58 [scribe]
- Chris: Do we care about multiple hops or is this phase 2?
- 08:59 [scribe]
- Martin: What is multiple hopS?
- 08:59 [DaveO]
- It was the large trout aspect, not so much the recipient ;-). I do prefer salmon, but I'm from the west coast of Canada...
- 08:59 [DaveO]
- q+
- 08:59 [scribe]
- Martin: My point is that I want to see a full working solution between client and server as opposed to chunks of security that don't fit together.
- 08:59 [Heather]
- security info propogation is going to be an immediate problem...
- 08:59 [Heather]
- +1 to martin
- 09:00 [scribe]
- DaveO: suggestion to deal with this is to do a use case and soe usage scenarios that treat particular aspects of the end-to-end.
- 09:01 [dougb]
- +1 to DaveO, subject seems to depend upon use case chosen to frame security WG / also appreciate Martin's extreme programming (extreme architecture?), continuously working process.
- 09:02 [maa-in]
- + extreme UML :-)
- 09:02 [Daniel]
- it's nothing to do with extreme anything, it's basic UP iteration
- 09:02 [scribe]
- Chris: Here's what I hear: Not boiling the ocean. Targeted. We have suggestions for different approaches or synergisitc approaches for how we might determine prioritization. I sense a stronglevel of rough agreement as to end-to-end solutions. We have a notion of phases. that we start something off and it evolves. We may need overlap of working groups due to market forces.
- 09:03 [tomCarrol]
- To be complete would we not need a complete set of use case that describe a web service and use those for the context of the security WG??
- 09:03 [scribe]
- chris: break at 3:30. Afternoon for use cases. Right now, could we given this ... pick a prioritized subset of joes and allens suggestions for a phase 1 charter? Can we do that now?
- 09:03 [scribe]
- DaveO: We have atleast one use case already - Hugo wrote it. Why don't we look at it and work the process?
- 09:04 [scribe]
- martin: Let's narrow the use case for securiyt aspects.
- 09:05 [scribe]
- Chris: We have Joe's onion, let's focus on the core of the onion. and thinking about phase 1 only.
- 09:05 [tomCarrol]
- Would we want to narrow the use case or would that be delegated to the security WG
- 09:05 [scribe]
- Chris: How do we want to break up?
- 09:05 [scribe]
- Daniel: want to tackle high priority stuff.
- 09:06 [scribe]
- Roger: You could also (in parallel?) tackle the EDI use case
- 09:06 [scribe]
- Chris: Of #1 (auth, integrity, confidentiality), what would go into a phase 2?
- 09:06 [scribe]
- Joe: It is useless to do integrity and confidentiality alone.
- 09:07 [scribe]
- Chris: So is #1 too broad, do we want to further narrow it?
- 09:07 [Daniel]
- q+
- 09:07 [DaveO]
- q-
- 09:08 [scribe]
- Daniel: Maybe there is some low hanging fruit here because a great deal of work has been done on some of this (e.g., auth and authorization).
- 09:09 [chris]
- ack daniel
- 09:09 [scribe]
- DaveO: The solutions and how they deal with XML and the web have not been around. We are just starting to see first proposals on some of these.
- 09:10 [scribe]
- Joe: More critical problem for XML encryption is key districution. All we have talked about is message level security but channel level security has been around and that's low hanging fruit.
- 09:11 [scribe]
- Daniel: I would rather talk about problems that solutions.
- 09:11 [scribe]
- DaveO: but solutions introduce problems. So which of the new problems do we wish to tackle.
- 09:12 [scribe]
- DaveO: the process model one is really interesting. This has come up with XML. Can or should an author be able to indicate the steps a recipient should do with a particular message...
- 09:12 [scribe]
- DaveO: default processing model, explicit one... clearly in WS we have the same issue. How does a reciever specify the processing model that it will publish to the world.
- 09:13 [Daniel]
- do we think we want to adopt/s[pecify a particular processing model?
- 09:13 [scribe]
- DaveO: e.g., i will do integrity checks after confidentiality. So sender mus invert this. Security clearly introduces a processing model. We should stay away from tackling this right up front ("there be dragons").
- 09:14 [scribe]
- Joe: true for message based but channel based already solved.
- 09:14 [scribe]
- DaveO: Missed point, the order that you do things is either the canonical order or you have to publish processing orer.
- 09:15 [scribe]
- Chris: Okay, how are we going to divide up this work?
- 09:15 [scribe]
- DaveO: suggest taking hugo's use case and then breaking it up around 3 scenarios (auth, integrity, and confidentiality.
- 09:15 [scribe]
- Chris: Hugo, do you want to walk us through the use case?
- 09:16 [hugo]
- Travel agent use case: http://www.w3.org/2002/06/ws-example.html
- 09:17 [scribe]
- Chris: 15- 20 break...
- 09:18 [Heather]
- whew!
- 09:44 [scribe]
- Hugo: Will present travel agent use case.
- 09:44 [scribe]
- Hugo: There is a customer that wants to use travel agents service to book vacation package. Travel agent service will use hotel and irline, credit card co. web services.
- 09:45 [scribe]
- Hugo: I divided the use case into 4 usage scenarios. which are basically the steps that the whole thing will go through to book the vacation package.
- 09:45 [scribe]
- Hugo: Of course I made simplifications - security is not considered at all.
- 09:45 [scribe]
- Hugo: If you want to go step by step, its complicated.
- 09:46 [scribe]
- Roger: Wants to quibble. In talking to people who wanted to use web services. When dealing with credit card service, you are dealing with something that is already firmly in place and is not going to change.
- 09:46 [scribe]
- Martin: So there are definitely actors, either people or external systems.
- 09:46 [scribe]
- Roger: My point is that it is unlikely that these will operate as ws in the new future.
- 09:47 [scribe]
- DaveO: Point is what things would look like using ws technology.
- 09:47 [scribe]
- Roger: make this point because if you are prioritizing, some legs of a use case are unlikely to change in the near future so they are low priority.
- 09:48 [scribe]
- Hugo: Even though parts of the use case won't be used for a very long time, they are still illustrative.
- 09:49 [scribe]
- Hugo: User requests travel for some travel dates. Hugo has a complex diagram for this in his document. The customer provide the travel agent some travel dates and the service discovers airlines and then gets descriptions of how to interact with those. So the ontology thing means that the descriptions made sense to everyone (magic).
- 09:50 [scribe]
- Hugo: So queries are made, results are returned, merged and sent to the customer. The ustomer chooses and the travel agent service books the flight.
- 09:50 [scribe]
- Hugo: Then moves to the hotel reservation (which works much like the airline situation).
- 09:52 [scribe]
- Hugo: From here, (purple stuff), when consumer boks hotel, the trravel service gives the cutsomer payment options. The travel agent service interfaces with the credit company to get a guarantee of payment.
- 09:54 [scribe]
- Hugo: At this point (Next diagram), the travel company has confirmation and then books the hotel with the credit information. Travel agent company creates vacation package and bill.
- 09:55 [scribe]
- Hugo: Security wise, there is confidentiality, credit card company stuff (certificates and guarantee) - identity, encryption for credit card number.
- 09:55 [scribe]
- Joe: Integrity cwould come into play since you don't want someone to change your data (london to paris) in transit. Authorization as well.
- 09:56 [scribe]
- Roger: We havea system in our company that works exactly like this today. If we want to make this realistic, we could determine exactly how these work. There are sll sorts of elaboration that happen in reality. For example people doing travel on behalf of another person.
- 09:57 [scribe]
- DaveO: this is a great start. There are issues of communication, QOS, Orchestration, etc. I love the travel service kind of use case.
- 09:57 [jeffm]
- +1
- 09:57 [scribe]
- Joe: You can build this up. So you could add NR, etc.
- 09:57 [jeffm]
- jeffm: +1
- 09:57 [scribe]
- Martin: So, what's the end-toend minimal thing that we need to do to make this secure. The customer looks up something and books, how do we make this minimally secure.
- 09:58 [scribe]
- JeffM: Instead of taking the whole thing as and end-toend we could take "little t" transactions and deal with each.
- 09:59 [scribe]
- Jeffm: security group might be chartered for little enchilada as apposed to the whoole thing (presumably staging).
- 09:59 [scribe]
- Roger: The odering has to do with what gets done first and what is needed first. There are portions of this that are cast in stone (the real world). Some of the example doesn't need to be dealt with in the near future.
- 10:00 [scribe]
- TomC: I tend to agree with the Oracle crowd. At a certain level of abstraction, in order to identify the meaningfl parts for a security WG we have to get to lower level parts of the use case.
- 10:01 [scribe]
- Jeffm: explicitly not trying to determine which things have to be done first.
- 10:02 [jeffm]
- To clarify: I'm suggesting that what is done first is the end-to-end security for the entire steel thread(s).
- 10:02 [scribe]
- Chris: So if I want to pull this apart: How do we know that its hugo, integrity, confidentiality,
- 10:03 [tomCarrol]
- q+
- 10:03 [maa-in]
- q+
- 10:03 [Roger]
- q+
- 10:03 [scribe]
- Thanks Jeff ;)
- 10:03 [chris]
- ack tom
- 10:04 [chris]
- q?
- 10:04 [DaveO]
- q+
- 10:04 [jeffm]
- Clarify(cont): The prioritzation task is picking the "right set" of steel threads to scope the first phase.
- 10:05 [scribe]
- Tom: familiar with the eprocirement scenario. You have to look at the small use cases one at a time. That is you don't get to pull the security areas out one at a time (integrity, authorization,etc.). Must find pertinent use cases in order to define a domain.
- 10:05 [scribe]
- martin: You didn't mention authorization or permissions.
- 10:05 [scribe]
- Chris: They are all there.
- 10:07 [scribe]
- Chris: Key point is getting to the point that roger was making, we could do all of the security things (1-5) or...
- 10:07 [Martin]
- q+
- 10:07 [tomCarrol]
- q+
- 10:08 [scribe]
- CHris: we could do them all, we can parallelize based on specific aspects. In terms of encryption where you have only a credit card number, did you really need XML encryption?
- 10:08 [scribe]
- Joe: You could do this two ways (SSL is option).
- 10:09 [scribe]
- Chris: Integrity is fundamental (due to multiple), authentication is fundamental, and confidentiality. can we focus on just these three.
- 10:10 [chris]
- ack maa
- 10:10 [scribe]
- Martin: The scenario has to touch on all of them otherwise you will miss something. The steel thread must address all points.
- 10:10 [hugo]
- q+
- 10:10 [scribe]
- Joe: This is what he was refering earlyier to the minimal set.
- 10:10 [chris]
- ack roger
- 10:11 [scribe]
- Roger: Does not like the use case because he doesn't see the business driver.
- 10:11 [scribe]
- Roger: sees apples and oranges of existing systems of different types. He really wants to show the EDI use case because it is different and the business drivers are clearly displayed.
- 10:11 [joe]
- q+
- 10:11 [chris]
- ack daveo
- 10:13 [scribe]
- DaveO: In terms of the break up, another way to tease out requirements is to look at what is going on in terms of the channel (e.g., email). So this type of variability might be another way to go in terms of structuring this.
- 10:13 [chris]
- ack martin
- 10:13 [scribe]
- Martin: This use case represents 80% of what the web is used for.
- 10:13 [chris]
- q+ jeffm
- 10:13 [chris]
- ack tom
- 10:15 [scribe]
- TomC: On rogers point, views the use case as an abstraction (that is that you can abstract out the business portion - the travel agent). The trust model varies based on what side of the travel agent service I belong to. I have trust with suppliers that is completely different that with the general public. So security may be completely different and require completely different technical implementations.
- 10:15 [chris]
- ack hugo
- 10:15 [scribe]
- Hugo: Martin said that we should have a look at everything rather than limiting to the 3. If we have a look at everything, everything will be large (e.g., privacy).
- 10:16 [chris]
- ack joe
- 10:17 [scribe]
- Joe: Responds to Roger's use case comment. Can cover all of the security aspects with buying a book from Amazon.com. The EID use case could be different because it is intranet.
- 10:17 [scribe]
- Roger: Not intranet, its an internet example!
- 10:17 [GlenD]
- q+
- 10:17 [DaveO]
- q+
- 10:18 [chris]
- ack jeffm
- 10:18 [scribe]
- Glend: two tiny comments. Regardless of whether the use case is connected to reality, it is still a useful scenario. Can we ask Roger to do a short description of his use case.
- 10:19 [chris]
- ack glend
- 10:19 [chris]
- q close
- 10:19 [scribe]
- Roger:EDI like interacteraction betweek big and small company to to purchase widgets it is interesting because small company has different capabilityies and security aspects and guts happens when things go wrong.
- 10:20 [dbooth]
- q?
- 10:20 [chris]
- ack daveo
- 10:20 [scribe]
- Mike: How does this use case differ from the travel agent?
- 10:20 [chris]
- ignore q
- 10:20 [scribe]
- Roger: Assumption here is that you have trusted partners.
- 10:20 [Martin]
- q martin
- 10:20 [Martin]
- q+
- 10:20 [chris]
- zakim, ignore q
- 10:21 [Zakim]
- I don't understand 'ignore q', chris. Try /msg Zakim help
- 10:21 [chris]
- zakim, ignore queue
- 10:21 [Zakim]
- ok, chris, I will ignore the speaker queue
- 10:21 [Martin]
- +q
- 10:21 [jeffm]
- +q
- 10:21 [scribe]
- DaveO: I have built SOAP systems doing exactly this. If you take how vendors talk about ws. IBM developer site is example. They use travel, others use this example. This is a connonical exmple for doing WS.
- 10:21 [dbooth]
- q+ jeffm
- 10:21 [jeffm]
- jeffm wonders where chris is
- 10:22 [scribe]
- chris: we don't have time to do the break outs. Suggests that we let Roger present his use case for 5-10 minutes.
- 10:24 [scribe]
- Roger: I talked to our EDI people about what they actually do and how they would be interested in useing web services and here's the scenario. You havea big company trying to buy widgets from a small mom and pop co with a big technology difference. We actually want to do this.
- 10:25 [scribe]
- Roger: Actors: Engineer, business analyst, lots of people. mom and pop and uncle on weekends.
- 10:26 [scribe]
- Roger: Request for purchase, purchase order, request for invoice, purchase, payment.
- 10:26 [hugo]
- EDI use case: http://lists.w3.org/Archives/Public/www-ws-arch/2002May/att-0323/02-WS-EDI_Use_Case.htm
- 10:27 [scribe]
- Roger: Focus is technical infrastrcutre not the buisiness process. Payments are explicitly out of scope. Because banks have their own processes.
- 10:27 [scribe]
- Roger: This is how process works when it works. This is less intereesting than when it doesn't. He has a list of requirements, check the use case for details. It is required that messages are ordered and identified with unique ID but not sequenced.
- 10:28 [scribe]
- Roger: Security problem: NR, accessibility, authentication. NR is a lower level than NR but higher than auditing because it is a trusted business parter. No one is going to court over a failure. You just need somewhay to determine what happened.
- 10:29 [scribe]
- Roger: So you need to reconciliate. So, the problems in the process are the real meat. This is where people spend their time. Transactio n log mismatch. At the end of each moth the big co will send a list of messages received to small co. The response is checked against the back office to see if there is message agreement.
- 10:30 [dbooth]
- q+
- 10:30 [dbooth]
- q-
- 10:30 [scribe]
- Roger: Second scenario is that small co thinks that they weren't payed. (incorrectly). They didn't get a payment advise(?). So they got paid bu they don't know it.
- 10:31 [scribe]
- Roger: Big purchasing department ... big co sends copies of purchase information to little co, and then little co matches and determines that they were payed.
- 10:31 [scribe]
- Roger: Finally, example where small co gets payed and this is similar to former.
- 10:31 [chris]
- zakim, track queue
- 10:31 [Zakim]
- ok, chris, I will track the speaker queue
- 10:31 [tomCarrol]
- q+
- 10:31 [scribe]
- Roger: Real important thing is to be able to determine what happened in the past.
- 10:31 [GlenD]
- q+
- 10:32 [scribe]
- Martin: This type of scenario is invaluable. Some things are not in the scope of web services. Alot of the use case is human use case.
- 10:33 [scribe]
- Roger: I disagree. Ddifferentiates (human from machine) based on log information needed vs. actual reconcilliation.
- 10:33 [scribe]
- Martin: What extra do we need to do to be able to prove that a payment was made (for example).
- 10:33 [chris]
- ack martin
- 10:34 [scribe]
- Roger: It is important that there is an agreed upon method for identifying messages (in time).
- 10:34 [chris]
- ack tom
- 10:34 [scribe]
- Roger: A standards query for getting digest of messages would be great.
- 10:35 [scribe]
- TomC: Looks at the abstraction. The activity being performed is ... missed it
- 10:35 [dbooth]
- Hmm, it sounds like he's talking about "unambiguously identifying things". Sounds a lot like URIs to me!
- 10:35 [chris]
- ack tom
- 10:36 [scribe]
- JeffM: If the requirement is to have a logging service, and the service has to support a DB query service then that is all that you need to say - that's a solution to the problem.
- 10:36 [chris]
- ack glen
- 10:36 [tomCarrol]
- q+
- 10:36 [scribe]
- JeffM: doesn't see how the use case adds more to security.
- 10:36 [scribe]
- Roger: I think that it is significant that the financial transactions are out of scope.
- 10:37 [Heather]
- why are the financial transactions out of scope?
- 10:37 [chris]
- q+ jeffm
- 10:38 [chris]
- q+ zulah
- 10:38 [dboo-scri]
- GlenD: There are lots of scenarios. I suggest we do something to move forward. We've chosen to drill through a use case. We'll do (1) vote for one of these use cases; or (2) tonight you guys can combine them.
- 10:38 [dboo-scri]
- Roger: Or we could split and do both.
- 10:38 [DaveO]
- q+
- 10:39 [dboo-scri]
- Heather: why are the financial transactions out of scope?
- 10:39 [dboo-scri]
- Roger: Because EDI people told me they were'nt interested in it.
- 10:39 [dboo-scri]
- s/EDI/my EDI/
- 10:39 [Heather]
- why?
- 10:39 [Heather]
- is there no interest from the financial industry to move to web services?
- 10:40 [dboo-scri]
- Roger: Because it's done through the banks and the banks worry about it.
- 10:40 [chris]
- because it gets handled by banks with lots of magical incantations
- 10:40 [jeffm]
- roger says because his EDI people told him they didn't need to worry about it
- 10:40 [chris]
- ack tom
- 10:40 [chris]
- ack jeffm
- 10:41 [jeffm]
- +q
- 10:41 [dboo-scri]
- Tom: I think EDI has a lot of implementation issues. Reconciliation is tied to one side or the other -- not the technology.
- 10:41 [dougb]
- q+
- 10:41 [dboo-scri]
- Roger: There's a fine line btwn business side and tech side.
- 10:42 [dboo-scri]
- JeffM: We have two proposals for scenarios. Do we need to choose? Talk more?
- 10:42 [DaveO]
- q-
- 10:42 [dboo-scri]
- Roger: If we have to choose, I prefer Hugo's, because it covers more of the arch.
- 10:43 [tomCarrol]
- q+
- 10:43 [dboo-scri]
- Doug: Hugo's use case is a superset of Rogers. At some point the main WS will order something from the hotel.
- 10:43 [chris]
- ack all
- 10:43 [chris]
- zakim, ignore queue
- 10:43 [Zakim]
- ok, chris, I will ignore the speaker queue
- 10:44 [dboo-scri]
- Tom: We're making assumptions about Hugo's scenario. Until you refine those smaller use cases, you'll never know.
- 10:44 [dboo-scri]
- ... There are a lot of assumptions about what's going on.
- 10:44 [dboo-scri]
- Joe: I agree.
- 10:46 [dboo-scri]
- Chris: Straw poll: Should we tackle both use cases or only one?
- 10:46 [dboo-scri]
- (Result of poll was roughly equal)
- 10:47 [tomCarrol]
- q+
- 10:47 [Heather]
- just travel
- 10:47 [chris]
- what are you doing in rahliegh?
- 10:47 [DaveO]
- q+
- 10:47 [chris]
- cant spell
- 10:47 [jeffm]
- q+
- 10:48 [Heather]
- are you gong to break out?
- 10:48 [GlenD]
- q+
- 10:48 [zulah]
- Not today we aren't
- 10:48 [dboo-scri]
- Tom: If we decide to split up based on various aspects of security, then we'll get more benefit out of looking at only one case.
- 10:48 [soliton]
- hi, Zula and Heather,
- 10:48 [soliton]
- are we still do the reliability meeting?
- 10:49 [Martin]
- q+
- 10:49 [dboo-scri]
- GlenD: You'll never get all the way to the bottom.
- 10:49 [zulah]
- Are we? I'm tired and would like to be out of here at 5:30-6ish.
- 10:49 [DaveO]
- q?
- 10:49 [Heather]
- soliton, sure
- 10:49 [Daniel]
- no luck, it's use cases all the way down
- 10:49 [Heather]
- but, i admit to being tired as well
- 10:49 [dboo-scri]
- DBooth: Could they be adequately combined?
- 10:49 [zulah]
- Okay, then, can we make it short and depending on whether or not this completes?
- 10:49 [dboo-scri]
- Roger: I don't think so.
- 10:50 [dboo-scri]
- Chris: Straw poll: Who votes for Hugos versus Rogers?
- 10:50 [dboo-scri]
- (Result: Unanimous for Hugo's)
- 10:50 [Heather]
- heather votes for hugo's too
- 10:50 [soliton]
- ok, if this meeting does not drag too long.
- 10:51 [DaveO]
- q?
- 10:51 [dboo-scri]
- Chris: So I'd like to break up and look end-to-end at these various security aspects by breaking into groups.
- 10:51 [dboo-scri]
- ... People should look at Hugo's use case and scenarios, such as HTTP.
- 10:51 [dboo-scri]
- GlenD: What will be the end result?
- 10:52 [dboo-scri]
- Chris: Do we have the right usage scenarios? Do they articulate the security constraints? Do they identify where we need to fill in the gaps? I'd like to see that.
- 10:52 [dboo-scri]
- ... So we can use that for the end of tomorrow morning, for prioritization.
- 10:53 [dboo-scri]
- Roger: I suggest we make one of the hotels' be a small B&B.
- 10:53 [dboo-scri]
- Others: good idea.
- 10:54 [dboo-scri]
- GlenD: We should leave the choice of particular implementations up to the groups doing them.
- 10:54 [dboo-scri]
- ... The MEP matters if you do channel level security, but for authorization it doesn't.
- 10:54 [dboo-scri]
- ... Any implementation detail should be left to the group doing it.
- 10:55 [dboo-scri]
- Chris: But I want enough info out of this for valid usage scenarios to charter new WGs.
- 10:56 [dboo-scri]
- GlenD: But depending on the implementation decisions, the security issues can change very much. Therefore I want to leave it to the groups doing it.
- 10:56 [dboo-scri]
- Joe: As long as we cover all of the security aspects I'll know if the solution is ok.
- 10:57 [dboo-scri]
- Glend: There may be times that you'd need to posit "now we're using HTTP".
- 10:58 [dboo-scri]
- Chris: So tomorrow, Martin will lead one group, GlenD another, DaveO another.
- 11:00 [dboo-scri]
- Chris: Martin does Authentication, GlenD does Integrity, DaveO does Confidentiality.
- 11:00 [dboo-scri]
- MarkB: Is there somethign for a third party trust relationship?
- 11:02 [dboo-scri]
- Chris: We're focusing on a phased approach for chartering WGs. Objective is to ID the scope of the 1st phase WGs.
- 11:02 [dboo-scri]
- MarkB: At what point would that be addressed?
- 11:02 [dboo-scri]
- Chris: We have until mid July.
- 11:03 [dboo-scri]
- .. We should come up with 6 bullet items that you might see in a charter.
- 11:03 [dboo-scri]
- MarkB: I think we need to address the a priori interface for the 3rd party case.
- 11:04 [dboo-scri]
- DaveO: There are at least 3 scenarios: #63, 64, 61, 62.
- 11:04 [chris]
- s63 authn, s64 integrity, s61& s62 confidentiality
- 11:05 [dboo-scri]
- ... Those point to solutnios, but they identify the things.
- 11:05 [dboo-scri]
- ... But this would be the place to plunk our results.
- 11:05 [dboo-scri]
- MarkB: I can bring up my case in that context.
- 11:05 [Daniel]
- take care all
- 11:06 [dboo-scri]
- [Meeting ajourned]
- 11:06 [soliton]
- ok, zula and Heather, we have a quick one on reliability
- 11:06 [soliton]
- anyone else ?
- 11:06 [zulah]
- Break quickly and then I suggest we take up AC007.
- 11:07 [soliton]
- agree
- 11:07 [soliton]
- 5 minutes.
- 11:07 [Heather]
- ok
- 11:10 [soliton]
- anyone else from the Reliability task force?
- 11:11 [Heather]
- im here
- 11:40:01 [RRSAgent]
- RRSAgent has joined #ws-arch
- 11:47:51 [mikem]
- mikem has joined #ws-arch
- 11:51:48 [Eric]
- Eric has joined #ws-arch
- 11:52:48 [MChapman]
- just about to begin again
- 11:54:00 [hugo]
- TAP demo: http://tap.stanford.edu/cgi-bin/w3csearch.pl?q=eric+miller&sitesearch=w3.org
- 11:54:15 [quit]
- quit has joined #ws-arch
- 11:54:41 [quit]
- quit has left #ws-arch
- 11:55:06 [zulah]
- zulah has joined #ws-arch
- 11:57:49 [dougb]
- dougb has joined #ws-arch
- 11:58:02 [chris]
- chris has joined #ws-arch
- 11:58:56 [shishir]
- shishir has joined #ws-arch
- 11:59:12 [hugo]
- Meeting resumed
- 11:59:22 [jdmunter]
- jdmunter has joined #ws-arch
- 11:59:34 [jeffm]
- jeffm has joined #WS-Arch
- 11:59:50 [dbooth]
- dbooth has joined #ws-arch
- 12:00:32 [Roger]
- dbooth, take a look at http://www.opencyc.org
- 12:00:52 [dbooth]
- Roger, here is the TAP site, the project at Stanford that has the demo of a semantic search: http://search.alpiri.com/wsi-bin/flek.wsp/tap?term=boston&method=search&locate=1&btnG=Search
- 12:01:19 [TomCarrol]
- Review of the Glossary
- 12:02:24 [Heather]
- ok I'm ready
- 12:02:32 [zulah]
- zulah has joined #ws-arch
- 12:02:33 [Heather]
- anyone else out there remote from the F2F?
- 12:03:03 [zulah]
- Tom, I can't take notes due to poor connection over here. Will fix and then take over
- 12:03:49 [quit]
- quit has joined #ws-arch
- 12:03:52 [Eric]
- I'm remote
- 12:03:56 [mchampion]
- I'm remote
- 12:04:33 [Eric]
- I've dialed into the concall number but it says I'm the only one on it
- 12:04:34 [quit]
- tom, I can take over with notes. WOuld you like this?
- 12:04:43 [Dave]
- Dave has joined #ws-arch
- 12:04:59 [Heather]
- the phone in the room does not work
- 12:05:06 [quit]
- quit has left #ws-arch
- 12:05:10 [Heather]
- as far as i know there isn't any phone support... just IRC
- 12:05:13 [TomCarrol]
- AllenBr: The glossary only contains the lexicon and as the document goes foward what structure should the glossary have? where do we draw the boundries of the document? ihow are the ilities incorporated into the glossary?
- 12:05:23 [zulah]
- zulah has joined #ws-arch
- 12:05:27 [Heather]
- so we are at their mercy for details...
- 12:05:28 [Dave]
- zakim, Dave is DaveO
- 12:05:29 [Zakim]
- sorry, Dave, I do not recognize a party named 'Dave'
- 12:05:39 [Dave]
- zakim, Dave is known as DaveO
- 12:05:40 [Zakim]
- I don't understand 'Dave is known as DaveO', Dave. Try /msg Zakim help
- 12:06:07 [Dave]
- zakim help
- 12:06:07 [TomCarrol]
- Daniel: are we going to share this glosary with the rest of the web services activity?
- 12:06:20 [Dave]
- sigh
- 12:06:45 [dbooth]
- zakim, help
- 12:06:46 [Zakim]
- Please refer to http://www.w3.org/2001/12/zakim-irc-bot for more detailed help.
- 12:06:47 [Zakim]
- Some of the commands I know are:
- 12:06:48 [Zakim]
- xxx is yyy - establish yyy as the name of unknown party xxx
- 12:06:51 [Zakim]
- if yyy is 'me' or 'I', your nick is substituted
- 12:06:52 [Zakim]
- xxx may be yyy - establish yyy as possibly the name of unknown party xxx
- 12:06:54 [Zakim]
- I am xxx - establish your nick as the name of unknown party xxx
- 12:06:56 [Zakim]
- xxx holds yyy [, zzz ...] - establish xxx as a group name and yyy, etc. as participants within that group
- 12:06:58 [Zakim]
- xxx also holds yyy - add yyy to the list of participants in group xxx
- 12:07:01 [Zakim]
- who's here? - lists the participants on the phone
- 12:07:02 [Zakim]
- who's muted? - lists the participants who are muted
- 12:07:04 [Zakim]
- mute xxx - mutes party xxx (such that 60# will not work)
- 12:07:06 [Zakim]
- unmute xxx - reverses the effect of "mute" and of 61#
- 12:07:08 [Zakim]
- is xxx here? - reports whether a party named like xxx is present
- 12:07:10 [Zakim]
- list conferences - reports the active conferences
- 12:07:11 [Zakim]
- this is xxx - associates this channel with conference xxx
- 12:07:12 [Zakim]
- excuse us - disconnects from the irc channel
- 12:07:13 [Zakim]
- I last learned something new on $Date: 2002/06/10 13:18:51 $
- 12:07:27 [Dave]
- zakim, I am DaveO
- 12:07:28 [Zakim]
- sorry, Dave, I do not see a party named 'DaveO'
- 12:07:42 [hugo]
- Dave, try /nick DaveO
- 12:07:48 [TomCarrol]
- Chris: there is no cononical way to organize the glossary?
- 12:07:54 [mchampion]
- Open the pod bay door, Zakim ... I can't do that Dave, you're planning to unplug me :-)
- 12:08:03 [DaveO]
- wahoo
- 12:08:25 [hugo]
- Zakim, only knows about people connected to the phone bridge
- 12:08:26 [Zakim]
- I don't understand 'only knows about people connected to the phone bridge', hugo. Try /msg Zakim help
- 12:08:48 [DaveO]
- *double sigh*
- 12:09:41 [scribe]
- Chris: how self contained is this document (what is the scope of the glossary).
- 12:10:09 [cgi-irc]
- cgi-irc has joined #ws-arch
- 12:13:09 [zulah]
- Tom, would you like me to take over scribing now? I seem to have my connect problems fixed.
- 12:13:22 [omh]
- omh has joined #ws-arch
- 12:14:29 [scribe]
- What do we do with terms that have multiple definitions?
- 12:15:01 [scribe]
- Allen: Each definition must be able to reference the author.
- 12:16:27 [scribe]
- Joe: Once the term is in the glossary. the term would then be reserved.
- 12:17:18 [Heather]
- words in dictionaries have multiple meanings in differnet context's, wouldn't that be true for glossarys as well?
- 12:17:27 [scribe]
- Joel: The glossary should have as much detail to clearly identify the definition of the term given its context.
- 12:18:34 [scribe]
- Chris: a singular glossary provides single reference point for the associated working groups.
- 12:19:23 [scribe]
- Roger: is the keeping one glossary feasible? given the differences between the working groups.
- 12:19:43 [Heather]
- i would think it would be feasible and NECESSARY within the web services activity
- 12:20:20 [scribe]
- DavidB: Multiple definitions are possible and may be necesary. It the nmultiple def. case the context must be defined.
- 12:20:36 [Heather]
- agreed
- 12:20:47 [chris]
- source, context, owner/authorship, multiple definitions allowed, but not preferred
- 12:20:59 [Roger]
- Heather - look at "Service" in the existing glossary.
- 12:21:17 [dbooth]
- Another term for "context" is "field of use"
- 12:21:30 [Heather]
- i'm looking at Service...
- 12:21:37 [Heather]
- it says 'collection of endpoints'
- 12:21:41 [Roger]
- There are two.
- 12:22:13 [scribe]
- Chris: comments on the glossary should go to the list along with additions.
- 12:22:37 [Heather]
- it would help if this were in alphabetical order
- 12:22:43 [scribe]
- AllenBr: Please provide sources with your additions.
- 12:23:11 [Roger]
- Stylesheets are envisaged yielding different organizations.
- 12:23:15 [dbooth]
- Heather, Allen said he can generate aphabetical in the next pass.
- 12:23:27 [JensM]
- JensM has joined #ws-arch
- 12:23:36 [Heather]
- so there are 3 definitions for service... 2 in that one and 1 on the first page
- 12:23:53 [Heather]
- thankyou allen
- 12:25:14 [Roger]
- I just thought that they were amazingly different.
- 12:25:15 [scribe]
- We are now talking about WS security working group
- 12:25:29 [Heather]
- how are we reviewing the glossary? Term by term?
- 12:26:01 [scribe]
- chris: How big is the WS security WG? what do we need to see in the group?
- 12:26:21 [scribe]
- Joe: Lets start with the requirements that we already have.
- 12:26:48 [scribe]
- Glen: We should be framing the security problem.
- 12:27:05 [zulah]
- I am scribe
- 12:27:15 [zulah]
- zakim, I am scribe
- 12:27:17 [Zakim]
- sorry, zulah, I do not see a party named 'scribe'
- 12:28:06 [scribe]
- Chris: the question is, do we see a ws working group as the working group that solves world hunger for mankind or a specific targeted focused WG?
- 12:28:20 [DaveO]
- q+
- 12:28:21 [scribe]
- Chris: somewhere between the two extremes?
- 12:28:23 [Daniel]
- q+ daniel
- 12:28:29 [jeffm]
- q+ jeffm
- 12:28:29 [Roger]
- q+
- 12:28:36 [Heather]
- q+ heather
- 12:28:49 [scribe]
- DaveO: I made a pitch in email about what a rough starting set of requirements would be.
- 12:29:09 [joe]
- q+
- 12:29:26 [scribe]
- DaveO: Let's have a security group talk about a framework, details of a trust model, task it with specific technological soluntions to authentication, integrity
- 12:29:35 [scribe]
- DaveO: encryption
- 12:29:57 [scribe]
- DaveO: knowing that there are others (e.g., Authorization, non repudiation),
- 12:30:13 [scribe]
- DaveO: This is a starting point pitch
- 12:30:19 [mchapman]
- q+
- 12:30:40 [scribe]
- Daniel: Just in terms of the scope the ideas are good. We should confine the cope to not include world hunger. Confine it to security problems specific to WS architecture.
- 12:30:59 [scribe]
- Daniel: Confine the scope as much as we can. Take advantage of others work
- 12:31:14 [scribe]
- Chris: Just as a baseline, the WS activity is not charter to go beyond the bounds of WS
- 12:31:32 [scribe]
- Chris: So you are saying not world hunger even for web services?
- 12:31:36 [scribe]
- Daniel: yes
- 12:32:00 [tomCarrol]
- q+
- 12:32:04 [scribe]
- JeffM: We have requirements, we should pick a subset of generally useful requirements (relevant subset)
- 12:32:29 [scribe]
- JeffM: pick pieces and fill in terra incognito. Whatever set of requirements that we choose it must address and end to end case.
- 12:32:48 [scribe]
- JeffM: it doesn't have to be all cases but one in depth
- 12:33:26 [scribe]
- Roger: question? is there another axis? On one extremem you make up new languages and syntaxes, on the other there are existing solns. with recommednations on how to put them together.
- 12:33:35 [scribe]
- Roger: Which is our job?
- 12:33:37 [DaveO]
- q+
- 12:34:02 [scribe]
- Chris: In making our recommendation we have the option to propose putting pieces together or additions, changes
- 12:34:27 [scribe]
- Roger: No, will this group in the process of creating the architecture specify which pieces to make security work (specifically).
- 12:34:39 [scribe]
- Chris: we cannot dictate soln. We can provide baseline.
- 12:35:01 [scribe]
- Roger: No, will there be components of security solutions in the architecture?
- 12:35:16 [Daniel]
- q+ Allen
- 12:35:50 [scribe]
- Roger: DaveO: Say we decide that we should have auser name/password for authentication then we will say this in architecture and charter.
- 12:36:06 [scribe]
- DaveO: If a WG tells us that we a re wrong, we will fix it in the document.
- 12:36:35 [scribe]
- Roger: If I am trying to implement WS and I use the arch document, will there be any answers in there for how I implement security?
- 12:36:49 [scribe]
- Joe: General guidelines but more specific will come from security group.
- 12:37:06 [scribe]
- Glen: In other words, not really just like we don't say specific things about implementing transactions.
- 12:37:25 [scribe]
- Chris: But we can provide starting points (e.g., XML digital signatures exists, use it).
- 12:38:17 [scribe]
- DaveO: What I think is being asked is what is the authority of the arch group in binding things? So if we say use Dig sign. is this authorotative.
- 12:38:22 [scribe]
- Chris: At best we can influence.
- 12:38:37 [Daniel]
- Heather you're up
- 12:38:46 [Heather]
- k
- 12:38:48 [hugo]
- I think that it depends on how our recommendations are phrased
- 12:39:09 [Heather]
- I'm a little nervous about giving a new security wg carte blanche to develop a new security framework
- 12:39:26 [Heather]
- it smacks of architecture groups having baby architecture groups
- 12:39:54 [Heather]
- should we provide a 'broad framework' as part of our work
- 12:40:12 [Heather]
- leaving them to figure out how to implement those components w/ existing specs and new specs?
- 12:40:33 [scribe]
- Joe: Would like to help move the process along by returning to the six items from the requirements doc. 1) authentication, integrity, encryption, 2) authorization, 3) NR, 4) accessibility (DOS), 5) rest of the stuff in CSF and requirements. He suggests that this is the prioritization.
- 12:40:35 [Heather]
- ok.. thats it
- 12:41:19 [scribe]
- DaveO: I agree
- 12:41:43 [tomCarrol]
- +1 on the framework
- 12:41:53 [Roger]
- Heather, what did you mean by
- 12:41:56 [jeffm]
- heather, you're stuff is up on the board
- 12:41:58 [scribe]
- DaveO: I think that heather is getting at the fact that the framework has to have some detail to provide constraints. We are not writing a blank check.
- 12:42:01 [Roger]
- "OK, that's it".
- 12:42:05 [jeffm]
- s/you're/your
- 12:42:07 [chris]
- q?
- 12:42:16 [chris]
- ack heather, joe
- 12:42:25 [Heather]
- by 'ok thats it' i meant </Heather>
- 12:42:28 [scribe]
- Joe: We need to supply detail? Yes because this lends credibility>
- 12:42:32 [Heather]
- or end of tirade
- 12:42:40 [Roger]
- Thanx.
- 12:43:18 [scribe]
- TomC: I was wondering if when we send a WG off to work, are we also going to privide a well defined process for making changes back into the architecture
- 12:43:38 [tomCarrol]
- Mchapman your up
- 12:44:03 [Daniel]
- q+
- 12:44:08 [scribe]
- Summary: We own framework, set context, but offer a process for feedback into changing the architecture.
- 12:44:43 [scribe]
- Martin: Question is, when we charter the security group, do we pre-phase them or only charter them for a specific phase?
- 12:44:52 [tomCarrol]
- q- TomCarrol
- 12:45:01 [scribe]
- Daniel: this is how SOAP works today.
- 12:45:20 [scribe]
- Summary: One working group with phasing (or re-chartering for each phase).
- 12:45:29 [scribe]
- Martin: So what we should be debating is phase 1
- 12:45:32 [chris]
- ack tomcarrol, mchapman
- 12:45:49 [Heather]
- +1 for rechartering for phases
- 12:46:17 [dougb]
- q+
- 12:46:25 [scribe]
- OIsio: Point of process, needs to be some life after wreck process so that there is some formal manner to make changes.
- 12:46:29 [chris]
- ack daveo
- 12:47:33 [scribe]
- DaveO: How convenient. I asked TBL how ammenable the director is to us rechartering in mid flight. HE said go for it, no blank check but time to market is important. I interpret this as a broad endorsment to get this stuff out there.
- 12:48:01 [chris]
- ack allen
- 12:48:12 [scribe]
- DaveO:No change to the process document. Its the willingness of the AC.
- 12:48:43 [joe]
- q+
- 12:48:46 [scribe]
- DaveO: Process does not mean that we have to do things slowly
- 12:49:43 [scribe]
- AllanB: There is another kind of structuering that comes from the overall architecture. YOu can imagine doing security at the messaging level. You can imagine role security at the orchestration level. These offer a basis for constraining what kinds of things are considered in each phase.
- 12:49:54 [scribe]
- AllenB: So phase 1 could be messaging security.
- 12:50:28 [jeffm]
- q+
- 12:50:33 [chris]
- ack daniel
- 12:50:34 [scribe]
- Joe: Good point. For his priorities, these can be done in multiple ways: messaging, etc.
- 12:50:45 [Heather]
- define messaging security for me...
- 12:51:22 [GlenD]
- security on a per-message basis
- 12:51:28 [scribe]
- AllenB: So there is more than one dimension to this and we can look at the matrix and determine what we want to fill in.
- 12:51:30 [GlenD]
- as opposed to securing a channel (ssl)
- 12:52:12 [chris]
- ack dougb
- 12:52:15 [Heather]
- could also match phase.... define their phase one in corresspondence with our phase one
- 12:52:32 [mchapman]
- q+
- 12:52:34 [GlenD]
- phase-locked groups
- 12:52:36 [scribe]
- Daniel: following martins earlier suggestion that we iterate on phases. We should pick the highest priority probelms and ask the security group to address them in the first pass (and so on). Dave has identified the high priority items. We should phase as probelm in priority (as opposed to as solutnions).
- 12:52:54 [DaveO]
- I think Allen proposed that there is another aspect of security, that there are the styles of security: message, connection, role based (e.g. for orchestration)
- 12:53:05 [scribe]
- DougB: Have the security WG recognize the boxes that we provide them mapped to existing standards. Is that our job or some WGs job?
- 12:53:18 [scribe]
- DaveO: Great.
- 12:53:45 [scribe]
- DougB: Does the security group recognize existing standards and fill them intoboxes or does the arch team do this (clarifiation)
- 12:54:13 [chris]
- q?
- 12:54:35 [scribe]
- DaveO: this came up on the tag. They felt that it was disirable for the arch group to provide details in fleshing out the scope of the box.
- 12:54:56 [scribe]
- Chris: Again, all we can do is hope to influence.
- 12:55:43 [scribe]
- Joe: Are we going to do the threat model in WSA or by the new WG?
- 12:56:38 [dougb]
- higher level question Joe and I are getting at: Are we writing the security portions of our architecture document (referencing existing standards and the threat model) or is the Security WG doing that?
- 12:56:47 [scribe]
- Chris: The order of the requirements document did not imply that we had prioritized.
- 12:56:47 [Heather]
- if we are going to lay out the high level framework and boxes, we may have do some level of threat model
- 12:56:52 [chris]
- ack joe
- 12:57:02 [chris]
- ack jeffm
- 12:58:00 [scribe]
- JeffM: As part of this discussion, will we consider the end to end case. Pick a couple of scenarios as examples and do the analysys so that we scope this by end-to-end for specific technologies as opposed to just stating messaging security.
- 12:58:15 [scribe]
- Chris: Did you mean use cases?
- 12:58:22 [scribe]
- JeffM: yes, the high level ones.
- 12:58:40 [DaveO]
- lol
- 12:58:59 [chris]
- ack mchapman
- 12:59:17 [Daniel]
- Dave loved that :)O
- 12:59:24 [Heather]
- :-)
- 12:59:35 [scribe]
- martin: even though we work at the same company ;) I want to really support this. Working solutions are importnat...
- 13:00:05 [scribe]
- Chris: in our current scenarios we describe stack type stuff. Are you going vertical or horizontal?
- 13:00:11 [Daniel]
- Dave and I used to be friends! that was back in XML-CORE days tho
- 13:00:14 [Daniel]
- LOL
- 13:00:16 [scribe]
- Martin: All the way down and then back up again.
- 13:01:32 [scribe]
- Jeffm: When some people think end-to-end they think multiple hops, routing, etc. and that's not what I mean. What I mean is that whatever use case we pick, we do it end-to-end.
- 13:01:43 [scribe]
- Chris: Do we care about multiple hops or is this phase 2?
- 13:01:51 [scribe]
- Martin: What is multiple hopS?
- 13:02:06 [DaveO]
- It was the large trout aspect, not so much the recipient ;-). I do prefer salmon, but I'm from the west coast of Canada...
- 13:02:17 [DaveO]
- q+
- 13:02:26 [scribe]
- Martin: My point is that I want to see a full working solution between client and server as opposed to chunks of security that don't fit together.
- 13:02:29 [Heather]
- security info propogation is going to be an immediate problem...
- 13:02:42 [Heather]
- +1 to martin
- 13:02:59 [scribe]
- DaveO: suggestion to deal with this is to do a use case and soe usage scenarios that treat particular aspects of the end-to-end.
- 13:04:03 [dougb]
- +1 to DaveO, subject seems to depend upon use case chosen to frame security WG / also appreciate Martin's extreme programming (extreme architecture?), continuously working process.
- 13:04:52 [maa-in]
- + extreme UML :-)
- 13:04:58 [Daniel]
- it's nothing to do with extreme anything, it's basic UP iteration
- 13:05:04 [scribe]
- Chris: Here's what I hear: Not boiling the ocean. Targeted. We have suggestions for different approaches or synergisitc approaches for how we might determine prioritization. I sense a stronglevel of rough agreement as to end-to-end solutions. We have a notion of phases. that we start something off and it evolves. We may need overlap of working groups due to market forces.
- 13:06:09 [tomCarrol]
- To be complete would we not need a complete set of use case that describe a web service and use those for the context of the security WG??
- 13:06:12 [scribe]
- chris: break at 3:30. Afternoon for use cases. Right now, could we given this ... pick a prioritized subset of joes and allens suggestions for a phase 1 charter? Can we do that now?
- 13:06:39 [scribe]
- DaveO: We have atleast one use case already - Hugo wrote it. Why don't we look at it and work the process?
- 13:06:58 [scribe]
- martin: Let's narrow the use case for securiyt aspects.
- 13:07:50 [scribe]
- Chris: We have Joe's onion, let's focus on the core of the onion. and thinking about phase 1 only.
- 13:07:52 [tomCarrol]
- Would we want to narrow the use case or would that be delegated to the security WG
- 13:08:27 [scribe]
- Chris: How do we want to break up?
- 13:08:39 [scribe]
- Daniel: want to tackle high priority stuff.
- 13:08:51 [scribe]
- Roger: You could also (in parallel?) tackle the EDI use case
- 13:09:29 [scribe]
- Chris: Of #1 (auth, integrity, confidentiality), what would go into a phase 2?
- 13:09:41 [scribe]
- Joe: It is useless to do integrity and confidentiality alone.
- 13:10:23 [scribe]
- Chris: So is #1 too broad, do we want to further narrow it?
- 13:10:28 [Daniel]
- q+
- 13:10:37 [DaveO]
- q-
- 13:11:42 [scribe]
- Daniel: Maybe there is some low hanging fruit here because a great deal of work has been done on some of this (e.g., auth and authorization).
- 13:11:47 [chris]
- ack daniel
- 13:12:38 [scribe]
- DaveO: The solutions and how they deal with XML and the web have not been around. We are just starting to see first proposals on some of these.
- 13:13:41 [scribe]
- Joe: More critical problem for XML encryption is key districution. All we have talked about is message level security but channel level security has been around and that's low hanging fruit.
- 13:13:58 [scribe]
- Daniel: I would rather talk about problems that solutions.
- 13:14:16 [scribe]
- DaveO: but solutions introduce problems. So which of the new problems do we wish to tackle.
- 13:15:05 [scribe]
- DaveO: the process model one is really interesting. This has come up with XML. Can or should an author be able to indicate the steps a recipient should do with a particular message...
- 13:15:36 [scribe]
- DaveO: default processing model, explicit one... clearly in WS we have the same issue. How does a reciever specify the processing model that it will publish to the world.
- 13:15:53 [Daniel]
- do we think we want to adopt/s[pecify a particular processing model?
- 13:16:24 [scribe]
- DaveO: e.g., i will do integrity checks after confidentiality. So sender mus invert this. Security clearly introduces a processing model. We should stay away from tackling this right up front ("there be dragons").
- 13:16:45 [scribe]
- Joe: true for message based but channel based already solved.
- 13:17:05 [scribe]
- DaveO: Missed point, the order that you do things is either the canonical order or you have to publish processing orer.
- 13:18:02 [scribe]
- Chris: Okay, how are we going to divide up this work?
- 13:18:29 [scribe]
- DaveO: suggest taking hugo's use case and then breaking it up around 3 scenarios (auth, integrity, and confidentiality.
- 13:18:42 [scribe]
- Chris: Hugo, do you want to walk us through the use case?
- 13:18:45 [hugo]
- Travel agent use case: http://www.w3.org/2002/06/ws-example.html
- 13:20:17 [scribe]
- Chris: 15- 20 break...
- 13:21:43 [Heather]
- whew!
- 13:35:48 [dougb]
- dougb has joined #ws-arch
- 13:46:45 [scribe]
- Hugo: Will present travel agent use case.
- 13:47:38 [scribe]
- Hugo: There is a customer that wants to use travel agents service to book vacation package. Travel agent service will use hotel and irline, credit card co. web services.
- 13:48:02 [scribe]
- Hugo: I divided the use case into 4 usage scenarios. which are basically the steps that the whole thing will go through to book the vacation package.
- 13:48:18 [scribe]
- Hugo: Of course I made simplifications - security is not considered at all.
- 13:48:29 [scribe]
- Hugo: If you want to go step by step, its complicated.
- 13:49:08 [scribe]
- Roger: Wants to quibble. In talking to people who wanted to use web services. When dealing with credit card service, you are dealing with something that is already firmly in place and is not going to change.
- 13:49:20 [scribe]
- Martin: So there are definitely actors, either people or external systems.
- 13:49:34 [scribe]
- Roger: My point is that it is unlikely that these will operate as ws in the new future.
- 13:49:46 [scribe]
- DaveO: Point is what things would look like using ws technology.
- 13:50:34 [scribe]
- Roger: make this point because if you are prioritizing, some legs of a use case are unlikely to change in the near future so they are low priority.
- 13:50:51 [scribe]
- Hugo: Even though parts of the use case won't be used for a very long time, they are still illustrative.
- 13:52:18 [scribe]
- Hugo: User requests travel for some travel dates. Hugo has a complex diagram for this in his document. The customer provide the travel agent some travel dates and the service discovers airlines and then gets descriptions of how to interact with those. So the ontology thing means that the descriptions made sense to everyone (magic).
- 13:53:04 [scribe]
- Hugo: So queries are made, results are returned, merged and sent to the customer. The ustomer chooses and the travel agent service books the flight.
- 13:53:34 [scribe]
- Hugo: Then moves to the hotel reservation (which works much like the airline situation).
- 13:55:42 [scribe]
- Hugo: From here, (purple stuff), when consumer boks hotel, the trravel service gives the cutsomer payment options. The travel agent service interfaces with the credit company to get a guarantee of payment.
- 13:56:49 [scribe]
- Hugo: At this point (Next diagram), the travel company has confirmation and then books the hotel with the credit information. Travel agent company creates vacation package and bill.
- 13:57:54 [scribe]
- Hugo: Security wise, there is confidentiality, credit card company stuff (certificates and guarantee) - identity, encryption for credit card number.
- 13:58:25 [scribe]
- Joe: Integrity cwould come into play since you don't want someone to change your data (london to paris) in transit. Authorization as well.
- 13:59:13 [scribe]
- Roger: We havea system in our company that works exactly like this today. If we want to make this realistic, we could determine exactly how these work. There are sll sorts of elaboration that happen in reality. For example people doing travel on behalf of another person.
- 13:59:45 [scribe]
- DaveO: this is a great start. There are issues of communication, QOS, Orchestration, etc. I love the travel service kind of use case.
- 13:59:51 [jeffm]
- +1
- 14:00:06 [scribe]
- Joe: You can build this up. So you could add NR, etc.
- 14:00:21 [jeffm]
- jeffm: +1
- 14:00:41 [scribe]
- Martin: So, what's the end-toend minimal thing that we need to do to make this secure. The customer looks up something and books, how do we make this minimally secure.
- 14:01:11 [scribe]
- JeffM: Instead of taking the whole thing as and end-toend we could take "little t" transactions and deal with each.
- 14:01:46 [scribe]
- Jeffm: security group might be chartered for little enchilada as apposed to the whoole thing (presumably staging).
- 14:02:09 [soliton]
- soliton has joined #ws-arch
- 14:02:34 [scribe]
- Roger: The odering has to do with what gets done first and what is needed first. There are portions of this that are cast in stone (the real world). Some of the example doesn't need to be dealt with in the near future.
- 14:03:32 [scribe]
- TomC: I tend to agree with the Oracle crowd. At a certain level of abstraction, in order to identify the meaningfl parts for a security WG we have to get to lower level parts of the use case.
- 14:04:07 [scribe]
- Jeffm: explicitly not trying to determine which things have to be done first.
- 14:05:31 [omh]
- omh has joined #ws-arch
- 14:05:40 [jeffm]
- To clarify: I'm suggesting that what is done first is the end-to-end security for the entire steel thread(s).
- 14:05:42 [scribe]
- Chris: So if I want to pull this apart: How do we know that its hugo, integrity, confidentiality,
- 14:05:44 [tomCarrol]
- q+
- 14:05:48 [maa-in]
- q+
- 14:05:52 [Roger]
- q+
- 14:06:00 [scribe]
- Thanks Jeff ;)
- 14:06:37 [chris]
- ack tom
- 14:06:54 [chris]
- q?
- 14:07:04 [DaveO]
- q+
- 14:07:09 [jeffm]
- Clarify(cont): The prioritzation task is picking the "right set" of steel threads to scope the first phase.
- 14:07:53 [scribe]
- Tom: familiar with the eprocirement scenario. You have to look at the small use cases one at a time. That is you don't get to pull the security areas out one at a time (integrity, authorization,etc.). Must find pertinent use cases in order to define a domain.
- 14:08:24 [scribe]
- martin: You didn't mention authorization or permissions.
- 14:08:30 [scribe]
- Chris: They are all there.
- 14:09:06 [JensM]
- JensM has joined #ws-arch
- 14:10:04 [scribe]
- Chris: Key point is getting to the point that roger was making, we could do all of the security things (1-5) or...
- 14:10:16 [Martin]
- q+
- 14:10:30 [tomCarrol]
- q+
- 14:11:00 [scribe]
- CHris: we could do them all, we can parallelize based on specific aspects. In terms of encryption where you have only a credit card number, did you really need XML encryption?
- 14:11:15 [scribe]
- Joe: You could do this two ways (SSL is option).
- 14:12:36 [scribe]
- Chris: Integrity is fundamental (due to multiple), authentication is fundamental, and confidentiality. can we focus on just these three.
- 14:13:05 [chris]
- ack maa
- 14:13:12 [scribe]
- Martin: The scenario has to touch on all of them otherwise you will miss something. The steel thread must address all points.
- 14:13:21 [hugo]
- q+
- 14:13:29 [scribe]
- Joe: This is what he was refering earlyier to the minimal set.
- 14:13:40 [chris]
- ack roger
- 14:13:56 [scribe]
- Roger: Does not like the use case because he doesn't see the business driver.
- 14:14:31 [scribe]
- Roger: sees apples and oranges of existing systems of different types. He really wants to show the EDI use case because it is different and the business drivers are clearly displayed.
- 14:14:33 [joe]
- q+
- 14:14:42 [chris]
- ack daveo
- 14:15:50 [scribe]
- DaveO: In terms of the break up, another way to tease out requirements is to look at what is going on in terms of the channel (e.g., email). So this type of variability might be another way to go in terms of structuring this.
- 14:15:55 [chris]
- ack martin
- 14:16:11 [scribe]
- Martin: This use case represents 80% of what the web is used for.
- 14:16:18 [chris]
- q+ jeffm
- 14:16:34 [chris]
- ack tom
- 14:18:06 [scribe]
- TomC: On rogers point, views the use case as an abstraction (that is that you can abstract out the business portion - the travel agent). The trust model varies based on what side of the travel agent service I belong to. I have trust with suppliers that is completely different that with the general public. So security may be completely different and require completely different technical implementations.
- 14:18:14 [chris]
- ack hugo
- 14:18:44 [scribe]
- Hugo: Martin said that we should have a look at everything rather than limiting to the 3. If we have a look at everything, everything will be large (e.g., privacy).
- 14:18:48 [chris]
- ack joe
- 14:19:47 [scribe]
- Joe: Responds to Roger's use case comment. Can cover all of the security aspects with buying a book from Amazon.com. The EID use case could be different because it is intranet.
- 14:19:56 [scribe]
- Roger: Not intranet, its an internet example!
- 14:20:09 [omh]
- omh has left #ws-arch
- 14:20:10 [GlenD]
- q+
- 14:20:32 [DaveO]
- q+
- 14:20:49 [chris]
- ack jeffm
- 14:21:23 [scribe]
- Glend: two tiny comments. Regardless of whether the use case is connected to reality, it is still a useful scenario. Can we ask Roger to do a short description of his use case.
- 14:21:55 [chris]
- ack glend
- 14:22:02 [chris]
- q close
- 14:22:10 [scribe]
- Roger:EDI like interacteraction betweek big and small company to to purchase widgets it is interesting because small company has different capabilityies and security aspects and guts happens when things go wrong.
- 14:22:56 [dbooth]
- q?
- 14:23:02 [scribe]
- Mike: How does this use case differ from the travel agent?
- 14:23:03 [chris]
- ack daveo
- 14:23:06 [chris]
- ignore q
- 14:23:22 [scribe]
- Roger: Assumption here is that you have trusted partners.
- 14:23:24 [Martin]
- q martin
- 14:23:31 [Martin]
- q+
- 14:23:45 [chris]
- zakim, ignore q
- 14:23:46 [Zakim]
- I don't understand 'ignore q', chris. Try /msg Zakim help
- 14:23:53 [chris]
- zakim, ignore queue
- 14:23:56 [Zakim]
- ok, chris, I will ignore the speaker queue
- 14:23:59 [Martin]
- +q
- 14:24:03 [jeffm]
- +q
- 14:24:10 [scribe]
- DaveO: I have built SOAP systems doing exactly this. If you take how vendors talk about ws. IBM developer site is example. They use travel, others use this example. This is a connonical exmple for doing WS.
- 14:24:26 [dbooth]
- q+ jeffm
- 14:24:28 [jeffm]
- jeffm wonders where chris is
- 14:24:46 [scribe]
- chris: we don't have time to do the break outs. Suggests that we let Roger present his use case for 5-10 minutes.
- 14:27:15 [scribe]
- Roger: I talked to our EDI people about what they actually do and how they would be interested in useing web services and here's the scenario. You havea big company trying to buy widgets from a small mom and pop co with a big technology difference. We actually want to do this.
- 14:28:04 [scribe]
- Roger: Actors: Engineer, business analyst, lots of people. mom and pop and uncle on weekends.
- 14:29:17 [scribe]
- Roger: Request for purchase, purchase order, request for invoice, purchase, payment.
- 14:29:39 [hugo]
- EDI use case: http://lists.w3.org/Archives/Public/www-ws-arch/2002May/att-0323/02-WS-EDI_Use_Case.htm
- 14:29:45 [scribe]
- Roger: Focus is technical infrastrcutre not the buisiness process. Payments are explicitly out of scope. Because banks have their own processes.
- 14:30:29 [scribe]
- Roger: This is how process works when it works. This is less intereesting than when it doesn't. He has a list of requirements, check the use case for details. It is required that messages are ordered and identified with unique ID but not sequenced.
- 14:31:25 [scribe]
- Roger: Security problem: NR, accessibility, authentication. NR is a lower level than NR but higher than auditing because it is a trusted business parter. No one is going to court over a failure. You just need somewhay to determine what happened.
- 14:32:35 [scribe]
- Roger: So you need to reconciliate. So, the problems in the process are the real meat. This is where people spend their time. Transactio n log mismatch. At the end of each moth the big co will send a list of messages received to small co. The response is checked against the back office to see if there is message agreement.
- 14:32:50 [dbooth]
- q+
- 14:33:08 [dbooth]
- q-
- 14:33:12 [scribe]
- Roger: Second scenario is that small co thinks that they weren't payed. (incorrectly). They didn't get a payment advise(?). So they got paid bu they don't know it.
- 14:33:54 [scribe]
- Roger: Big purchasing department ... big co sends copies of purchase information to little co, and then little co matches and determines that they were payed.
- 14:34:15 [scribe]
- Roger: Finally, example where small co gets payed and this is similar to former.
- 14:34:27 [chris]
- zakim, track queue
- 14:34:29 [Zakim]
- ok, chris, I will track the speaker queue
- 14:34:31 [tomCarrol]
- q+
- 14:34:33 [scribe]
- Roger: Real important thing is to be able to determine what happened in the past.
- 14:34:37 [GlenD]
- q+
- 14:34:53 [omh]
- omh has joined #ws-arch
- 14:35:00 [scribe]
- Martin: This type of scenario is invaluable. Some things are not in the scope of web services. Alot of the use case is human use case.
- 14:36:19 [scribe]
- Roger: I disagree. Ddifferentiates (human from machine) based on log information needed vs. actual reconcilliation.
- 14:36:33 [scribe]
- Martin: What extra do we need to do to be able to prove that a payment was made (for example).
- 14:36:39 [chris]
- ack martin
- 14:37:00 [scribe]
- Roger: It is important that there is an agreed upon method for identifying messages (in time).
- 14:37:10 [chris]
- ack tom
- 14:37:12 [scribe]
- Roger: A standards query for getting digest of messages would be great.
- 14:37:51 [scribe]
- TomC: Looks at the abstraction. The activity being performed is ... missed it
- 14:37:56 [dbooth]
- Hmm, it sounds like he's talking about "unambiguously identifying things". Sounds a lot like URIs to me!
- 14:38:42 [chris]
- ack tom
- 14:38:47 [scribe]
- JeffM: If the requirement is to have a logging service, and the service has to support a DB query service then that is all that you need to say - that's a solution to the problem.
- 14:38:50 [chris]
- ack glen
- 14:38:59 [tomCarrol]
- q+
- 14:39:09 [scribe]
- JeffM: doesn't see how the use case adds more to security.
- 14:39:25 [scribe]
- Roger: I think that it is significant that the financial transactions are out of scope.
- 14:39:45 [Heather]
- why are the financial transactions out of scope?
- 14:40:17 [chris]
- q+ jeffm
- 14:41:05 [chris]
- q+ zulah
- 14:41:13 [dboo-scri]
- GlenD: There are lots of scenarios. I suggest we do something to move forward. We've chosen to drill through a use case. We'll do (1) vote for one of these use cases; or (2) tonight you guys can combine them.
- 14:41:20 [dboo-scri]
- Roger: Or we could split and do both.
- 14:41:27 [DaveO]
- q+
- 14:41:50 [dboo-scri]
- Heather: why are the financial transactions out of scope?
- 14:42:05 [dboo-scri]
- Roger: Because EDI people told me they were'nt interested in it.
- 14:42:14 [dboo-scri]
- s/EDI/my EDI/
- 14:42:16 [Heather]
- why?
- 14:42:37 [Heather]
- is there no interest from the financial industry to move to web services?