I am confused, I thought we wanted to embroil ourselves in identifying
a particular security profile to use for communication between a wsrp
consumer and producer? I.e. aren't we trying to find a [set of]
interoperable profiles that will work well across the known upcoming
domain of wsrp consumers and producers? I find your new set of
questions more general in that that don't assume specific technical
solutions -- however I prefer your initial questions because they are
more specific -- and I believe we are assuming our profile(s) will be
based on these. I.e. A lot of your new questions can be answered
yes/no which doesn't help us unless the details of the yes are
explained. Though your original questions are also answered yes/no
because they are more specific they give us more information.
Not being familiar with the ws-profiles being discussed/already
standardized does it help/hinder us to ask if specific profiles are
supported? Or are the profiles openended enough to cover a variety of
representations?
-Mike-
Rich Thompson wrote:
To Subbu's specific question; yes,
WS-SecureConversation
would be an example of such security technology.
I also received some feedback from
internal
security folks that these questions were too broad to get meaningful
feedback,
but rather would just embroil the TC in the general question about
identifying
the particular security profile to use for communication between a
particular
pair of parties. That discussion is already happening elsewhere and I
don't
think any of us want to interject ourselves into that debate. Here is a
second draft attempting to provide more clarity to the questions and
gather
the information the TC wanted without becoming embroiled in the general
debate.
----------------------- draft starts below
--------------------
Considering the number of customer requests for interoperable security
profiles and the lack of a standardized policy framework for
negotiating
a security profile to use for WSRP-related messages, the WSRP TC is
seeking
input about whether simple interim, interoperable profiles could be
defined
for the use case of multiple vendor's implementations being deployed
within
a single security domain in the mid-2006 timeframe.
1. The WSRP use case involves an intermediary (the WSRP Consumer)
acting
on behalf of an End-User when interacting with the web service provider
(the WSRP Producer). As a result, there is an interest in transferring
the identities of both the WSRP Consumer and the End-User to the WSRP
Producer.
This results in several questions:
1.a. Do you support the receipt of multiple
identities on a SOAP message which can be separately queried by the
provider
application?
1.b. What WS-Security tokens will be supported
for transferring identities?
1.c. Will a mixture of WS-Security tokens and
transport-level identity transfer be supported?
1.d. Any restrictions on how multiple identities
can be attached to a particular SOAP message?
2. What security granularity is expected when
transferring
an identity (for example; portals often have a concept of user role
that
relates to the End-User's current use of the portal rather than their
identity
... is the transfer of such attributes supported)?
3. Is support for maintaining security contexts
for
multiple web service requests anticipated? If so, using what security
technology?
4. Is automated configuration of all endpoints
supported?
If so, how are any particular inputs to the process indicated,
supported,
standardized and maintained?
Rich Thompson
OASIS WSRP TC Chair
On question (5) below, are you referring to
something
like
WS-SecureConversation?
Subbu
Rich Thompson wrote:
>
> Please provide feedback on the questions we want to use for
contacting
> our various security teams about the possibility of building one
or
two
> simple security profiles for use while waiting for standardized
policy
> frameworks to emerge. Hopefully we can agree on a short set of
questions
> over the next week such that the gathering of input can begin
shortly
> after that.
>
> ----------------------- draft starts below --------------------
>
> Considering the number of customer requests for interoperable
security
> profiles and the lack of a standardized policy framework for
negotiating
> a security profile to use for WSRP-related messages, the WSRP TC
is
> seeking input about whether simple interoperable profiles could be
> defined. In particular, which of the following items is expected
to
be
> supported in the mid-2006 timeframe:
>
> 1. Transferring a Consumer identity via SSL/TLS, an End-User
identity
> via a WS-Security token and exposing both to
applications.
> 2. Transferring a Consumer identity via a digital signature,
an
> End-User identity via a WS-Security token and
exposing both to
> applications.
> 3. Which WS-Security tokens do you expect to be supporting?
> 4. If SAML is supported, what user attributes will be
supported?
> 5. Is support for maintaining security contexts for multiple
web
> service requests anticipated? If so, using what
technology?
> 6. Is automated configuration supported? If so, are any
particular
> inputs to the process required?
>
>
---------------------------------------------------------------------
To
> unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. You may a link to this group and all your TCs
in
> OASIS at:
>
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. You may a link to this group and all your TCs
in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. You may a link to this group and all your TCs in
OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
|