[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wsrp] EventDescription.requiresSecureDistribution
A producer that wishes to return an event
securely can not publish a http binding (i.e. only an https binding so that
SOAP responses are secured) if transport level security is to be used, or use
message level security for responses. Given we start from this position, is it
not more a question of the producer possibly granting the consumer the right to
forward an event on a less secure channel? How useful is such a feature as opposed
to just mandating that a securely returned event be always forwarded securely? I
think the end goal should be for end to end security to be used to secure the
event payload so do we really need these flags? Regards, Andre From: Rich Thompson
[mailto:richt2@us.ibm.com]
I
do not see why we would want to duplicate
the
flag in the Event type itself, even if we include it in the
event
metadata.
IMHO
A
consumer should either use (securely determined) metadata to
determine
the
security level for event transmission or use the same
security level at which an event was received to re-distribute the
event (Event.RequiresSecureRedistribution?). Would
it be simpler to use the same rule as for getMarkup to distribute all events?
i.e. If a producer publishes a secure binding (i.e.
SSL)
then the consumer should make use of it? Or, better, provide
and
encourage means for the event data to be signed/encrypted by sending
portlets? Regards,
Andre
PS.
In any
case, the Event.requiresSecure(Re)Distribution
declaration XML schema could do with a
default="false" to match the EventDescription convention.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]