RE: [ebxml-msg] Message authorization in conf profiles

["Durand, Jacques R." <JDurand@us.fujitsu.com>]

John:

 

Yes it was always the intent to require support for -at least - PullRequest authorization.

So we'll make that more explicit.

What was not so clear was whether support for authorization of other kinds of messages was to be mandatory too, in an implementation. (e.g. some User messages could be "authorized" for some Service/Action, and not for others).

The proposed rewording will NOT make authorization beyond PullRequest mandatory in the conf profile (although an implementation may decide to support this in extra).

 

>As we discussed, X.509 cert authentication should also be available as an option to username/password authentication.

 

So there are two ways to deal with this in AS4 (only the first one is an option for the other ebMS3 Conformance Profiles):

 

(a)  If it really has to be optional *in AS4 implementations*, then do not mention this in the AS4 profile: the conformance profile only makes a statement on what minimal capability must be supported by a conforming implementation - here username/password authentication. You can always support X.509 on top of this, and you can always decide to use it with your partner.

 

(b)  If we want AS4 implementations to always allow for this (so its just a matter of configuration for users to decide to use it or not), then In AS4 we can add this to the new "additional features" section. Meaning as an implementation conforming to AS4 it must support it.

 

So we'll have to decide in AS4 about (a) or (b).

 

Regards,

Jacques

---

From: John Voss (jovoss) [mailto:jovoss@cisco.com]
Sent: Tuesday, October 28, 2008 6:14 PM
To: Durand, Jacques R.; ebxml-msg@lists.oasis-open.org
Subject: RE: [ebxml-msg] Message authorization in conf profiles

Hi Jacques,

 

I think it's better to be more specific and go with the sentence at the end that indicates Authorization for the pull signal must be supported.

 

It would be a huge security risk to allow non-authenticated pull signals, so this should be mandatory.

 

As we discussed, X.509 cert authentication should also be available as an option to username/password authentication.

 

Best Regards,

 

John

---

From: Durand, Jacques R. [mailto:JDurand@us.fujitsu.com]
Sent: Tuesday, October 28, 2008 5:59 PM
To: ebxml-msg@lists.oasis-open.org
Subject: [ebxml-msg] Message authorization in conf profiles

Should we be more explicit about the level of support expected for message authorization, as discussed in AS4 SC:

 

 The Gateway conf profiles say:

• Support for message authorization at P-Mode level (see 7.10 in [ebMS3]) using wsse:UsernameToken profile, in particular authorization of the Pull signal for a particular MPC.

Should we say instead:

Support for message authorization at P-Mode level (see 7.10 in [ebMS3]) using wsse:UsernameToken profile. Authorization of the Pull signal - for a particular MPC - must be supported at minimum.

 

Jacques