OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

regrep-security message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [regrep-security] Updated ebRS section 9.7 Access Control


Thanks for your comments - I think they improved the presentation overall.
This is for v2.1. My apologies for not getting to it till now.
Some comments below. Comments, anybody else?

Here is the edited version

Sterling Commerce, Inc.

-----Original Message-----
From: Munter, Joel D [mailto:joel.d.munter@intel.com]
Sent: Tuesday, May 28, 2002 10:25 AM
To: 'Damodaran, Suresh'; 'regrep-security@lists.oasis-open.org'
Subject: RE: [regrep-security] Updated ebRS section 9.7 Access Control


Is this intended for v2.1 or v3?  Some of my comments may be more
appropriate as V3.  You make the call.

The following:
	"Any Registry Client can access the content without 
	requiring authentication. However, unauthenticated 
	clients can only access some read-only (getXXX) 
	methods permitted for GuestReader role. The Registry 
	must assign the default GuestReader role to such 
	Registry Clients."
Has contradictory first and second sentences.  Please consider deleting the
first sentence.


The following:
	"Anyone can publish content, but MUST  be a Registered User"
May be better said by the following:
	"To publish content, you MUST  be a Registered User"


I am a little confused by the following:
	"The Submitting Organization has access 
	to all methods for Registry Objects created by it." 
Who is "it" at the end of this sentence?  Unless I am wrong, the SO cannot
create methods.  Nor can it "create" Registry Objects.  Isn't the SO limited
to "registering" stuff?

> Yes, SO is limited to "registering" - fixed.

This bullet implies that all submitters must obtain a "certificate."
	"At the time of content submission, the Registry 
	must assign the default ContentOwner role to the 
	Submitting Organization (SO) as authenticated by 
	the credentials in the submission message. In the 
	current version of this specification, the Submitting 
	Organization will be the DN (Distinguished Name) as 
	identified by the certificate."

But this section says nothing about where to obtain certificates.  Also
where do the credentials go in the "submission message?"  Should we be more
explicit here?  Who are valid Certificate Authorities?  What else
constitutes a valid certificate?  What else needs to be there?  Should we be
more specific here?

>These are good questions - possibly good to address in V3.0. I have made
some changes.
The certificates are those used for authentication (mentioned in Signing
 but that section also will be revised for V3.0 when SO and RO can be


-----Original Message-----
From: Damodaran, Suresh [mailto:Suresh_Damodaran@stercomm.com]
Sent: Friday, May 24, 2002 1:59 PM
To: 'regrep-security@lists.oasis-open.org'
Subject: [regrep-security] Updated ebRS section 9.7 Access Control


Here is the new section 9.7 with some scrubbing done. 
There is the actor to role mapping, and default policies.
When custom policies will be used is also mentioned.
Please let me know what you think.

Sterling Commerce, Inc. 

To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

Attachment: ebRS- 9.7 Access Control.doc
Description: MS-Word document

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC