OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

sca-policy message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [sca-policy] Issue 32

Yes, that's a reasonable suggestion.  Let me paraphrase and amplify.

We would have 2 authentication intents:

clientAuthentication:  client MUST authenticate the server to prevent 
man-in-the-middle attacks.
mutualAuthentication:  client and server MUST authenticate each other.

All the best, Ashok


David Booz wrote:
>
> I think we should introduce a new intent called 'mutualAuthentication' 
> to resolve the issue.
>
> I don't read the existing intent the same way you do. To me, it reads 
> such that it's all about clients authenticating to services. I'm not 
> sure how to clarify the existing intent but it seems we need to.
>
> Dave Booz
> STSM, BPM and SCA Architecture
> Co-Chair OASIS SCA-Policy TC and SCA-J TC
> "Distributed objects first, then world hunger"
> Poughkeepsie, NY (845)-435-6093 or 8-295-6093
> e-mail:booz@us.ibm.com
>
> Inactive hide details for ashok malhotra ---11/17/2008 03:22:18 
> PM---http://www.osoa.org/jira/browse/POLICY-32 The title of thiashok 
> malhotra ---11/17/2008 03:22:18 
> PM---http://www.osoa.org/jira/browse/POLICY-32 The title of this issue 
> is "Security intent which allows a
>
>
> From: 	
> ashok malhotra <ashok.malhotra@oracle.com>
>
> To: 	
> OASIS Policy <sca-policy@lists.oasis-open.org>
>
> Date: 	
> 11/17/2008 03:22 PM
>
> Subject: 	
> [sca-policy] Issue 32
>
> ------------------------------------------------------------------------
>
>
>
> http://www.osoa.org/jira/browse/POLICY-32
>
> The title of this issue is "Security intent which allows a client to
> authenticate a server"
> But let us look at the authentication intent which is currently in the
> spec. Lines 1856-1859 in WD09:
>
> */authentication /*– the authentication intent is used to indicate that
> a client must authenticate itself in order to use an SCA service.
> Typically, the client security infrastructure is responsible for the
> server authentication in order to guard against a "man in the middle"
> attack.
>
>
> I read this as saying that:
>
>
> 1. The server must always authenticate itself to the client.
> 2. If this intent is used it requires mutual authentication of the
> client and server.
>
>
> Thus, it seems to me, that the definition of the intent covers the issue
> and we need not do anything
> unless we want to cover the situation that the server is not
> authenticated by the client. In that case, the default is no
> authentication and we need two intents:
>
> - One to cover the case where the client authenticates the server
> - The second to cover the case where the client and server authenticate
> each other (mutual authentication).
>
>
> -- 
> All the best, Ashok
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>
>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]