[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [amqp] Groups - Advanced Message Queuing Protocol (AMQP) Claims-based Security Version 1.0 uploaded
Hi David, Please find my comments to the AMQP-CBS specs bellow ... Thanks & Regards Jakub ---------- - In the chapter 3 you mention that the CBS based authentication / authorization is connection-scoped. Would it be possible to have multiple connections using the same token (i.e. where each connections establish its own link to the CBS node, but uses exactly the same token)? Would it be possible to use the same toke again after the original connection was closed (i.e. reconnect after a network outage using the same token)? - Do we expect some specific action to be taken by the resource manager / CBS node after the token expires? Do we expect it to terminate the affected links / connections etc.? Or is that up to the specific implementations? - From my experience, the time is almost never in sync between our servers and the customer servers. Do we want to consider to have some "expiration warnings" send by the CBS node before the token expires - maybe as a optional part of the specification? Or do you think that this is not necessary and we can leave that to the clients to take care of it? The JWT specification seems to mention a possibility to provide a leeway when evaluating the expiration - "Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew." - do we want to inherit this option for AMQP Clams-Based Security? - Both JWT and SWT already have support for expiration and JWT even has a reserved field for "Not before" timestamp. The put-token request in 4.1.1 is using another expiration field as an application property. What is the relation between the expiration as application property and expiration in the token? Is it supposed to be the same value as inside of the token? Or is it expected to work as "the token expires when either the application property timestamp expires or the token timestamp expires? - In the chapter 2.1.1 you seem to expect either expiry time or TTL. But the chapter 4.1.1 seems to work only with expiry time. It doesn't mention TTL anymore. - The chapter 3.1.2 is not entirely easy to understand. It might be useful to add some diagram to better explain the example, especially since it might serve as an inspiration for the implementations. Does the attached diagram capture the idea from the example? (See attached file: cbs.pdf) - In the JWT specs, the audience is defined as "identifies the audiences that the JWT is intended for". I believe the meaning in SWT is similar. The name in SWT "Identifies the party that issues the SWT". In 4.1.1, the put-token request has a property with key "name" which should contain the "audience". Since the term "audience" seems to be mentioned for the first time in the application property description, can you please clarify what exactly do we expect? - From the specification, I expected, that the client might have multiple active tokens - e.g. token1 allowing him to write to q1 or token2 allowing him to read from q2. How will the client specify in the delete-token request (chapter 4.2.1) which particular token should be deleted? Is this what the name is supposed to be used for? - The document doesn't specify any particular claims which the CBS nodes / Resource managers should support. Is that intentional to leave the specific claims which the CBS node / resource manager supports on the implementations? Or is it planned to have a list of basic claims which should be supported by everyone implementing ? ---------------------------------------------------------------------------- Deutsche Börse Services s.r.o. Managing Directors/Geschäftsführung: Michael Gassmann, Mats Andersson. Limited liability company with registered office at Sokolovská 662/136B, CZ-186 00 Prague 8 recorded in the Commercial Register IC: 275 77 015. Maintained by the city court in Prague, Sec. C, File No. 116874. |----------------------------> |David Ingham | |<david.ingham@microsoft.com>| |Sent by: | |<amqp@lists.oasis-open.org> | | | | | |03/09/2013 16:07 | |----------------------------> >------------------------------------------------------------------------------------------------------------------------------> | | | | | To| | amqp@lists.oasis-open.org | | cc| | | | Subject| | [amqp] Groups - Advanced Message Queuing Protocol (AMQP) Claims-based Security Version 1.0 uploaded | | | | | | | | | | | >------------------------------------------------------------------------------------------------------------------------------> >---------------------------| | | >---------------------------| |-----------------------------------------------------------------------------| |Document Name: Advanced Message Queuing Protocol (AMQP) Claims-based Security| |Version 1.0 | |No description provided. | |Download Latest Revision | |Public Download Link | |Submitter: Mr. David Ingham | |Group: OASIS Advanced Message Queuing Protocol (AMQP) TC | |Folder: Working Documents | |Date submitted: 2013-09-03 07:07:44 | | | |-----------------------------------------------------------------------------| ----------------------------------------- Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen. Wenn Sie nicht der beabsichtigte Empfaenger sind, informieren Sie bitte sofort den Absender und loeschen Sie diese E-Mail. Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der enthaltenen Informationen ist nicht gestattet. The information contained in this message is confidential or protected by law. If you are not the intended recipient, please contact the sender and delete this message. Any unauthorised copying of this message or unauthorised distribution of the information contained herein is prohibited. Legally required information for business correspondence/ Gesetzliche Pflichtangaben fuer Geschaeftskorrespondenz: http://deutsche-boerse.com/letterhead
Attachment:
cbs.pdf
Description: Adobe PDF document
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]