OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-msg message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [ebxml-msg] A question about authorisation [SEC=UNCLASSIFIED]



Hello Ian,
 
In my interpretation of how Pull should work the approach to take would be the one described in your first bullet point.    But this is something we should discuss on the call with the people who were around when this was added to the spec, as your email is a reminder that I had a related question on Pull that I will file a Jira item for.
 
Pim


From: ebxml-msg@lists.oasis-open.org [mailto:ebxml-msg@lists.oasis-open.org] On Behalf Of Otto, Ian
Sent: 01 July 2013 06:44
To: 'Pim van der Eijk'; ebxml-msg@lists.oasis-open.org
Subject: RE: [ebxml-msg] A question about authorisation [SEC=UNCLASSIFIED]

Hi Pim,

              Thanks for pointing me at that. I understand that a little better now. SAML is most suited to the primary header. To use it in a secondary header, it would have to be used to sign something. Like an X.509 Certificate, the credential must be exercised to establish ownership.

 

To give me a little more context on how authorisation works in a hub scenario, with a Pull request, if I have a hub holding a number of messages destined for different Receiving MSHs waiting to be collected is in normal that:

·         Messages would be placed in separate MPCs for each Receiving MSH; or

·         Messages would be in a single MPC with an authorisation mechanism determining which Receiving MSH could pick up which message (not that I have found this in the standard); or

·         Some other way?

 

Am I on the right track or missing something?

 

Regards, Ian Otto.

 

-----Original Message-----
From: Pim van der Eijk [mailto:pvde@sonnenglanz.net]
Sent: Thursday, 27 June 2013 6:09 PM
To: Otto, Ian; ebxml-msg@lists.oasis-open.org
Subject: RE: [ebxml-msg] A question about authorisation

 

 

Hello Ian,

 

With a pull request there can be two separate WS-Security headers,  one a regular one which can be X.509 based and a separate one for authorization target to an "ebms"

actor/role (see section 7.10 in v3.0 Core).    So when you

propose a SAML token profile,  the question is if it is used as an alternative for the regular WS-Security header and/or this separate authorization header.

 

Pim

 

-----Original Message-----

From: ebxml-msg@lists.oasis-open.org

[mailto:ebxml-msg@lists.oasis-open.org] On Behalf Of Mr. Ian Otto

Sent: 27 June 2013 09:19

To: ebxml-msg@lists.oasis-open.org

Subject: [ebxml-msg] A question about authorisation

 

At yesterday's TC meeting, I received the impression that

X.509 Certificates could not be used for Pull authorisation.

Is that correct?

 

Do you need a username/password for Pull authorisation?

 

*************************************************************************
The information contained in this e-mail, and any attachments to it,
is intended for the use of the addressee and is confidential.� If you
are not the intended recipient you must not use, disclose, read,
forward, copy or retain any of the information.� If you received this
e-mail in error, please delete it and notify the sender by return
e-mail or telephone.

The Commonwealth does not warrant that any attachments are free
from viruses or any other defects.� You assume all liability for any
loss, damage or other consequences which may arise from opening
or using the attachments.

The security of emails transmitted in an unencrypted environment
cannot be guaranteed. By forwarding or replying to this email, you
acknowledge and accept these risks.
*************************************************************************



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]