RE: [regrep-security] Updated ebRS section 9.7 Access Control

["Damodaran, Suresh" <Suresh_Damodaran@stercomm.com>]

Joel,

Thanks for your comments - I think they improved the presentation overall.
This is for v2.1. My apologies for not getting to it till now.
Some comments below. Comments, anybody else?

Here is the edited version


-Suresh
Sterling Commerce, Inc.


-----Original Message-----
From: Munter, Joel D [mailto:joel.d.munter@intel.com]
Sent: Tuesday, May 28, 2002 10:25 AM
To: 'Damodaran, Suresh'; 'regrep-security@lists.oasis-open.org'
Subject: RE: [regrep-security] Updated ebRS section 9.7 Access Control


Suresh,

Is this intended for v2.1 or v3?  Some of my comments may be more
appropriate as V3.  You make the call.

The following:
	"Any Registry Client can access the content without 
	requiring authentication. However, unauthenticated 
	clients can only access some read-only (getXXX) 
	methods permitted for GuestReader role. The Registry 
	must assign the default GuestReader role to such 
	Registry Clients."
Has contradictory first and second sentences.  Please consider deleting the
first sentence.

>Fixed

The following:
	"Anyone can publish content, but MUST  be a Registered User"
May be better said by the following:
	"To publish content, you MUST  be a Registered User"

>Fixed

I am a little confused by the following:
	"The Submitting Organization has access 
	to all methods for Registry Objects created by it." 
Who is "it" at the end of this sentence?  Unless I am wrong, the SO cannot
create methods.  Nor can it "create" Registry Objects.  Isn't the SO limited
to "registering" stuff?

> Yes, SO is limited to "registering" - fixed.

This bullet implies that all submitters must obtain a "certificate."
	"At the time of content submission, the Registry 
	must assign the default ContentOwner role to the 
	Submitting Organization (SO) as authenticated by 
	the credentials in the submission message. In the 
	current version of this specification, the Submitting 
	Organization will be the DN (Distinguished Name) as 
	identified by the certificate."

But this section says nothing about where to obtain certificates.  Also
where do the credentials go in the "submission message?"  Should we be more
explicit here?  Who are valid Certificate Authorities?  What else
constitutes a valid certificate?  What else needs to be there?  Should we be
more specific here?

>These are good questions - possibly good to address in V3.0. I have made
some changes.
The certificates are those used for authentication (mentioned in Signing
sections)
 but that section also will be revised for V3.0 when SO and RO can be
different 

Joel


-----Original Message-----
From: Damodaran, Suresh [mailto:Suresh_Damodaran@stercomm.com]
Sent: Friday, May 24, 2002 1:59 PM
To: 'regrep-security@lists.oasis-open.org'
Subject: [regrep-security] Updated ebRS section 9.7 Access Control



Team,

Here is the new section 9.7 with some scrubbing done. 
There is the actor to role mapping, and default policies.
When custom policies will be used is also mentioned.
Please let me know what you think.

----------------- 
Thanks, 
-Suresh 
Sterling Commerce, Inc. 

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

Attachment: ebRS- 9.7 Access Control.doc
Description: MS-Word document