OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wsrp] draft security profile questions


To Subbu's specific question; yes, WS-SecureConversation would be an example of such security technology.
 
I also received some feedback from internal security folks that these questions were too broad to get meaningful feedback, but rather would just embroil the TC in the general question about identifying the particular security profile to use for communication between a particular pair of parties. That discussion is already happening elsewhere and I don't think any of us want to interject ourselves into that debate. Here is a second draft attempting to provide more clarity to the questions and gather the information the TC wanted without becoming embroiled in the general debate.

----------------------- draft starts below --------------------

Considering the number of customer requests for interoperable security profiles and the lack of a standardized policy framework for negotiating a security profile to use for WSRP-related messages, the WSRP TC is seeking input about whether simple interim, interoperable profiles could be defined for the use case of multiple vendor's implementations being deployed within a single security domain in the mid-2006 timeframe.
 
1. The WSRP use case involves an intermediary (the WSRP Consumer) acting on behalf of an End-User when interacting with the web service provider (the WSRP Producer). As a result, there is an interest in transferring the identities of both the WSRP Consumer and the End-User to the WSRP Producer. This results in several questions:
  1.a. Do you support the receipt of multiple identities on a SOAP message which can be separately queried by the provider application?
  1.b. What WS-Security tokens will be supported for transferring identities?
  1.c. Will a mixture of WS-Security tokens and transport-level identity transfer be supported?
  1.d. Any restrictions on how multiple identities can be attached to a particular SOAP message?

2. What security granularity is expected when transferring an identity (for example; portals often have a concept of user role that relates to the End-User's current use of the portal rather than their identity ... is the transfer of such attributes supported)?

3. Is support for maintaining security contexts for multiple web service requests anticipated? If so, using what security technology?

4. Is automated configuration of all endpoints supported? If so, how are any particular inputs to the process indicated, supported, standardized and maintained?

Rich Thompson
OASIS WSRP TC Chair


Subbu Allamaraju <subbu@bea.com>

10/12/05 11:58 AM

To
wsrp@lists.oasis-open.org
cc
Subject
Re: [wsrp] draft security profile questions





On question (5) below, are you referring to something like
WS-SecureConversation?

Subbu

Rich Thompson wrote:
>
> Please provide feedback on the questions we want to use for contacting
> our various security teams about the possibility of building one or two
> simple security profiles for use while waiting for standardized policy
> frameworks to emerge. Hopefully we can agree on a short set of questions
> over the next week such that the gathering of input can begin shortly
> after that.
>
> ----------------------- draft starts below --------------------
>
> Considering the number of customer requests for interoperable security
> profiles and the lack of a standardized policy framework for negotiating
> a security profile to use for WSRP-related messages, the WSRP TC is
> seeking input about whether simple interoperable profiles could be
> defined. In particular, which of the following items is expected to be
> supported in the mid-2006 timeframe:
>
>    1. Transferring a Consumer identity via SSL/TLS, an End-User identity
>       via a WS-Security token and exposing both to applications.
>    2. Transferring a Consumer identity via a digital signature, an
>       End-User identity via a WS-Security token and exposing both to
>       applications.
>    3. Which WS-Security tokens do you expect to be supporting?
>    4. If SAML is supported, what user attributes will be supported?
>    5. Is support for maintaining security contexts for multiple web
>       service requests anticipated? If so, using what technology?
>    6. Is automated configuration supported? If so, are any particular
>       inputs to the process required?
>
> --------------------------------------------------------------------- To
> unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. You may a link to this group and all your TCs in
> OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]