John:
Yes it was always the intent to
require support for -at least - PullRequest authorization.
So we'll make that more explicit.
What was not so clear was
whether support for authorization of other kinds of messages was to be
mandatory too, in an implementation. (e.g. some User messages could be
"authorized" for some Service/Action, and not for others).
The proposed rewording will NOT
make authorization beyond PullRequest mandatory in the conf profile
(although an implementation may decide to support this in extra).
>As
we discussed, X.509 cert authentication should also be available as an
option to username/password authentication.
So
there are two ways to deal with this in AS4 (only the first one is an
option for the other ebMS3 Conformance Profiles):
(a)
If it really has to be optional *in AS4 implementations*, then do not
mention this in the AS4 profile: the conformance profile only makes a
statement on what minimal capability must be supported by a conforming
implementation - here username/password authentication. You can always
support X.509 on top of this, and you can always decide to use it with
your partner.
(b) If we want AS4 implementations to
always allow for this (so its just a matter of configuration for users
to decide to use it or not), then In AS4 we can add this to the new
"additional features" section. Meaning as an implementation conforming
to AS4 it must support it.
So we'll have to decide in AS4 about (a) or
(b).
Regards,
Jacques
Hi Jacques,
I think it's better to be more
specific and go with the sentence at the end that indicates
Authorization for the pull signal must be supported.
It would be a huge security risk
to allow non-authenticated pull signals, so this should be mandatory.
As we discussed, X.509 cert
authentication should also be available as an option to
username/password authentication.
Best Regards,
John
Should
we be more explicit about the level of support expected for message
authorization, as discussed in AS4 SC:
The
Gateway conf profiles say:
-
Support for
message authorization at P-Mode level (see 7.10 in [ebMS3]) using
wsse:UsernameToken profile, in particular authorization of the Pull
signal for a particular MPC.
Should we say
instead:
Support for message authorization at P-Mode level (see 7.10
in [ebMS3]) using wsse:UsernameToken profile. Authorization of the Pull signal - for a particular MPC - must
be supported at minimum.
Jacques