[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [uddi-spec] Proposal 16: breaking the containment model
I was reading too much into it. It is obvious that if
we split entity ownership across multiple publishers, then each publisher would
sign just the part of the entity that (s)he owns.
But I do not see
why this singular issue cannot be accommodated within the existing containment
model. All we have to do is specify that signature is computed based upon entity
content excluding contained entities (services, bindings and potentially
contacts). Contained entities need to have their own signatures produced
by their respective owners. These signatures would validate the contained
entities' inclusion in their containing entity because their content includes
the key of the containing entity. Whether a publisher can submit a
contained entity for inclusion in some other entity should be governed by the
containing entity's ACL.
As far as spec goes, it should say "all children of the
element being signed are included in the generation of the signature unless they
have their own signature element," so all children endowed with signature are
automatically excluded. This is different from current spec text,
which states that "all children of the element being signed are included in
the generation of the signature unless first excluded by application of a
transform." This appears to presume that all of the entity's contained
entities are owned by one publisher. The registry itself can add the required transforms (that
filter out contained keyed entities) to signatures that do not have such
transforms.
I still believe that the publisherAssertion
containment-free approach is a better alternative, because it supports greater
flexibility and has better controls at the same time.
Daniel From: Rogers, Tony [mailto:Tony.Rogers@ca.com] Sent: Sunday, April 11, 2004 1:59 AM To: Daniel Feygin; uddi-spec@lists.oasis-open.org Subject: RE: [uddi-spec] Proposal 16: breaking the containment model That phrase "signature transforms to allow signature
compartmentalization" just means writing transforms so that the signature
in a business just signs the business, and not any of the contained
objects, and the same for a service. That way we can suppress a binding or a
service without disrupting the signature on the service or business which
contains it. This was an important reason for breaking containment.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]