[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue 71: Guidance on Policy Application
Tracked as Issue 71. Marc Goodner Technical Diplomat Microsoft Corporation Tel: (425) 703-1903 Blog: http://spaces.msn.com/mrgoodner/ -----Original Message----- From: Hal Lockhart [mailto:hlockhar@bea.com] Sent: Tuesday, May 30, 2006 1:12 PM To: ws-sx@lists.oasis-open.org Cc: Marc Goodner Subject: [ws-sx] NEW Issue: Guidance on Policy Application PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER. The issues coordinators will notify the list when that has occurred. Protocol: ws-sp http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/17889/ws -securitypolicy-1.2-spec-ed-01-r06.pdf Artifact: spec Type: philosophical Title: Some people are unclear on the precise role to be played by WS-SecurityPolicy. Description: The only place in WS_SecurityPolicy which seems to address exactly what WS-SP is supposed to be used for is section 1. Currently it says: "WS-Policy defines a framework for allowing web services to express their constraints and requirements. [...] This document takes the approach of defining a base set of assertions that describe how messages are to be secured. [...] The intent is to provide enough information for compatibility and interoperability to be determined by web service participants along with all information necessary to actually enable a participant to engage in a secure exchange of messages." This seems to leave a lot of questions unanswered. Is a consumer required to use SP? Is SP suitable for expressing a Consumer's policy? Does an SP represent an enforceable access control policy? Can a Web Service reject messages which conform to its policy? It seems to me desirable that the spec provide more specific guidance on what is expected. Proposed Resolution: I suggest that we add to section 1 some additional text along these lines. ---- The exact usage of security policies will depend on a variety of factors and may differ from one deployment to another. Further, Consumers and Services are likely to use information from a variety of sources other than security policies to determine the details of security mechanisms applied to particular messages. However, in the absence of specific considerations to the contrary, it is recommended that the following principles be followed. 1. The Consumer should construct messages which are consistent with the policy advertised by the Service. 2. The Service should not reject messages based on the use of mechanisms which conform to its advertised policies. 3. However, the Service may reject messages based on factors which are not specified in its advertised policies. 4. The Service may also choose to accept messages which are inconsistent with its advertised policies. ---- Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]