OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

amqp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [amqp] Groups - Advanced Message Queuing Protocol (AMQP) Claims-based Security Version 1.0 uploaded


Hi David,

Please find my comments to the AMQP-CBS specs bellow ...

Thanks & Regards
Jakub

----------

- In the chapter 3 you mention that the CBS based authentication /
authorization is connection-scoped. Would it be possible to have multiple
connections using the same token (i.e. where each connections establish its
own link to the CBS node, but uses exactly the same token)? Would it be
possible to use the same toke again after the original connection was
closed (i.e. reconnect after a network outage using the same token)?

- Do we expect some specific action to be taken by the resource manager /
CBS node after the token expires? Do we expect it to terminate the affected
links / connections etc.? Or is that up to the specific implementations?

- From my experience, the time is almost never in sync between our servers
and the customer servers. Do we want to consider to have some "expiration
warnings" send by the CBS node before the token expires - maybe as a
optional part of the specification? Or do you think that this is not
necessary and we can leave that to the clients to take care of it? The JWT
specification seems to mention a possibility to provide a leeway when
evaluating the expiration - "Implementers MAY provide for some small
leeway, usually no more than a few minutes, to account for clock skew." -
do we want to inherit this option for AMQP Clams-Based Security?

- Both JWT and SWT already have support for expiration and JWT even has a
reserved field for "Not before" timestamp. The put-token request in 4.1.1
is using another expiration field as an application property. What is the
relation between the expiration as application property and expiration in
the token? Is it supposed to be the same value as inside of the token? Or
is it expected to work as "the token expires when either the application
property timestamp expires or the token timestamp expires?

- In the chapter 2.1.1 you seem to expect either expiry time or TTL. But
the chapter 4.1.1 seems to work only with expiry time. It doesn't mention
TTL anymore.

- The chapter 3.1.2 is not entirely easy to understand. It might be useful
to add some diagram to better explain the example, especially since it
might serve as an inspiration for the implementations. Does the attached
diagram capture the idea from the example?

(See attached file: cbs.pdf)

- In the JWT specs, the audience is defined as "identifies the audiences
that the JWT is intended for". I believe the meaning in SWT is similar. The
name in SWT "Identifies the party that issues the SWT". In 4.1.1, the
put-token request has a property with key "name" which should contain the
"audience". Since the term "audience" seems to be mentioned for the first
time in the application property description, can you please clarify what
exactly do we expect?

- From the specification, I expected, that the client might have multiple
active tokens - e.g. token1 allowing him to write to q1 or token2 allowing
him to read from q2. How will the client specify in the delete-token
request (chapter 4.2.1) which particular token should be deleted? Is this
what the name is supposed to be used for?

- The document doesn't specify any particular claims which the CBS nodes /
Resource managers should support. Is that intentional to leave the specific
claims which the CBS node / resource manager supports on the
implementations? Or is it planned to have a list of basic claims which
should be supported by everyone implementing ?




----------------------------------------------------------------------------

Deutsche Börse Services s.r.o.
Managing Directors/Geschäftsführung:
Michael Gassmann, Mats Andersson.
Limited liability company with registered office at
Sokolovská 662/136B, CZ-186 00 Prague 8
recorded in the Commercial Register IC: 275 77 015.
Maintained by the city court in Prague,
Sec. C, File No. 116874.


|---------------------------->
|David Ingham                |
|<david.ingham@microsoft.com>|
|Sent by:                    |
|<amqp@lists.oasis-open.org> |
|                            |
|                            |
|03/09/2013 16:07            |
|---------------------------->
  >------------------------------------------------------------------------------------------------------------------------------>
  |                                                                                                                              |
  |                                                                                                                              |
  |                                                                                                                            To|
  |        amqp@lists.oasis-open.org                                                                                             |
  |                                                                                                                            cc|
  |                                                                                                                              |
  |                                                                                                                       Subject|
  |        [amqp] Groups - Advanced Message Queuing Protocol (AMQP) Claims-based Security Version 1.0 uploaded                   |
  |                                                                                                                              |
  |                                                                                                                              |
  |                                                                                                                              |
  |                                                                                                                              |
  |                                                                                                                              |
  >------------------------------------------------------------------------------------------------------------------------------>
  >---------------------------|
  |                           |
  >---------------------------|




|-----------------------------------------------------------------------------|
|Document Name: Advanced Message Queuing Protocol (AMQP) Claims-based Security|
|Version 1.0                                                                  |
|No description provided.                                                     |
|Download Latest Revision                                                     |
|Public Download Link                                                         |
|Submitter: Mr. David Ingham                                                  |
|Group: OASIS Advanced Message Queuing Protocol (AMQP) TC                     |
|Folder: Working Documents                                                    |
|Date submitted: 2013-09-03 07:07:44                                          |
|                                                                             |
|-----------------------------------------------------------------------------|


-----------------------------------------
Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen.
Wenn Sie nicht der beabsichtigte Empfaenger sind, informieren Sie bitte
sofort den Absender und loeschen Sie diese E-Mail. Das unbefugte Kopieren
dieser E-Mail oder die unbefugte Weitergabe der enthaltenen Informationen
ist nicht gestattet.

The information contained in this message is confidential or protected by
law. If you are not the intended recipient, please contact the sender and
delete this message. Any unauthorised copying of this message or
unauthorised distribution of the information contained herein is prohibited.

Legally required information for business correspondence/
Gesetzliche Pflichtangaben fuer Geschaeftskorrespondenz:
http://deutsche-boerse.com/letterhead

Attachment: cbs.pdf
Description: Adobe PDF document



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]