OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wsrp] draft security profile questions


My understanding is that we wanted to gather the info required to determine whether defining a small set of interoperable security profiles would be feasible and helpful. My feedback from those with a security point of view was that the first drafted questions would tend to engage us in the more general debate about negotiating security profiles and I think that is an area we wanted to stay away from. The second draft is an attempt to refine the questions so that we get the specific information we need in order to evaluate the feasibility and helpful questions. The kind of information I thought we needed was:
 - Is there support for transferring multiple identities?
 - What security methods are supported for transferring an identity (SSL/TLS, security tokens, digsig, ...)?
 - Any restrictions on how means to transfer identities are combined?
 - (stretch goal) Transferring user attributes supported? If so, which ones?
 - (stretch goal) Support for security contexts that span multiple messages?

I think the second draft attempts to ask these types of questions. If I misunderstood or people find they aren't encompassing enough, we certain can continue to work on them.

Rich


Michael Freedman <michael.freedman@oracle.com>

10/18/05 02:29 PM

To
Rich Thompson/Watson/IBM@IBMUS
cc
wsrp@lists.oasis-open.org
Subject
Re: [wsrp] draft security profile questions





I am confused, I thought we wanted to embroil ourselves in identifying a particular security profile to use for communication between a wsrp consumer and producer?  I.e. aren't we trying to find a [set of] interoperable profiles that will work well across the known upcoming domain of wsrp consumers and producers?  I find your new set of questions more general in that that don't assume specific technical solutions -- however I prefer your initial questions because they are more specific -- and I believe we are assuming our profile(s) will be based on these.  I.e. A lot of your new questions can be answered yes/no which doesn't help us unless the details of the yes are explained. Though your original questions are also answered yes/no because they are more specific they give us more information.

Not being familiar with the ws-profiles being discussed/already standardized does it help/hinder us to ask if specific profiles are supported?  Or are the profiles openended enough to cover a variety of representations?
    -Mike-

Rich Thompson wrote:

To Subbu's specific question; yes, WS-SecureConversation would be an example of such security technology.
 
I also received some feedback from internal security folks that these questions were too broad to get meaningful feedback, but rather would just embroil the TC in the general question about identifying the particular security profile to use for communication between a particular pair of parties. That discussion is already happening elsewhere and I don't think any of us want to interject ourselves into that debate. Here is a second draft attempting to provide more clarity to the questions and gather the information the TC wanted without becoming embroiled in the general debate.

----------------------- draft starts below --------------------

Considering the number of customer requests for interoperable security profiles and the lack of a standardized policy framework for negotiating a security profile to use for WSRP-related messages, the WSRP TC is seeking input about whether simple interim, interoperable profiles could be defined for the use case of multiple vendor's implementations being deployed within a single security domain in the mid-2006 timeframe.

1. The WSRP use case involves an intermediary (the WSRP Consumer) acting on behalf of an End-User when interacting with the web service provider (the WSRP Producer). As a result, there is an interest in transferring the identities of both the WSRP Consumer and the End-User to the WSRP Producer. This results in several questions:
 1.a. Do you support the receipt of multiple identities on a SOAP message which can be separately queried by the provider application?
 1.b. What WS-Security tokens will be supported for transferring identities?
 1.c. Will a mixture of WS-Security tokens and transport-level identity transfer be supported?
 1.d. Any restrictions on how multiple identities can be attached to a particular SOAP message?

2. What security granularity is expected when transferring an identity (for example; portals often have a concept of user role that relates to the End-User's current use of the portal rather than their identity ... is the transfer of such attributes supported)?

3. Is support for maintaining security contexts for multiple web service requests anticipated? If so, using what security technology?

4. Is automated configuration of all endpoints supported? If so, how are any particular inputs to the process indicated, supported, standardized and maintained?


Rich Thompson
OASIS WSRP TC Chair

Subbu Allamaraju <subbu@bea.com>

10/12/05 11:58 AM


To
wsrp@lists.oasis-open.org
cc
Subject
Re: [wsrp] draft security profile questions







On question (5) below, are you referring to something like
WS-SecureConversation?

Subbu

Rich Thompson wrote:
>
> Please provide feedback on the questions we want to use for contacting
> our various security teams about the possibility of building one or two
> simple security profiles for use while waiting for standardized policy
> frameworks to emerge. Hopefully we can agree on a short set of questions
> over the next week such that the gathering of input can begin shortly
> after that.
>
> ----------------------- draft starts below --------------------
>
> Considering the number of customer requests for interoperable security
> profiles and the lack of a standardized policy framework for negotiating
> a security profile to use for WSRP-related messages, the WSRP TC is
> seeking input about whether simple interoperable profiles could be
> defined. In particular, which of the following items is expected to be
> supported in the mid-2006 timeframe:
>
>    1. Transferring a Consumer identity via SSL/TLS, an End-User identity
>       via a WS-Security token and exposing both to applications.
>    2. Transferring a Consumer identity via a digital signature, an
>       End-User identity via a WS-Security token and exposing both to
>       applications.
>    3. Which WS-Security tokens do you expect to be supporting?
>    4. If SAML is supported, what user attributes will be supported?
>    5. Is support for maintaining security contexts for multiple web
>       service requests anticipated? If so, using what technology?
>    6. Is automated configuration supported? If so, are any particular
>       inputs to the process required?
>
> --------------------------------------------------------------------- To
> unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. You may a link to this group and all your TCs in
> OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. You may a link to this group and all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]