[E-Lang] Security issues at W3C Workshop on Web Services
Karp, Alan
alan_karp@hp.com
Wed, 21 Mar 2001 09:49:03 -0800
I am on the program committee for the W3C Workshop on Web Services that will
be held April 11-12 in San Jose. I have now read about 20 of the position
papers submitted and am struck by the consensus around a flawed security
model. I'm hoping that someone reading this list will be able to
participate in the Workshop and bring some sanity to the discussion.
At least half a dozen of the papers I've read have called for
standardization on "context". Great, I thought. Finally, we'll be able to
describe the environment in which a request is being made. Unfortunately,
these writers uniformly define context to be userID and password or some
equivalent using PKI. The goal is to provide "single sign-on" for web
services. We know what a disaster it will be if people are required to
invoke services with their full authority, but apparently most of the people
attending this Workshop do not.
I will be tied up dealing with issues of service description and discovery.
(Don't ask; I was volunteered.) I'm hoping that one of you can step up and
prevent a disaster in the making. Attendance is limited, but some of you
should be able to attend. Sign up at http://www.w3.org/2001/01/WSWS.
_________________________
Alan Karp
Principal Scientist
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp/