[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [regrep] [RS Issue] HTTP connection taking longer than TTL
Matthew MacKenzie wrote: > Farrukh Najmi wrote: > >> Matthew MacKenzie wrote: >> >>> Farrukh, >>> >>> I haven't hashed out a solution as of yet, but I was thinking along >>> the lines of adding optional mutually authenticated SSL to the >>> Federation protocol. This way, all members of a federation would be >>> trusted by virtue of their connections to each and other being >>> encrypted using keys that are trusted. Some kind of self signed >>> certificate exchange like is done in ebMS might just allow us to cut >>> down some of the processing and comm (SSL/TLS can also do some >>> compression) overhead. >> >> >> >> Good point. >> >> SSL based communication between Registry Client and Registry is >> already specified in section 10.3.1. I assume most >> registry-to-registry communication *WILL* be over SSL. Does that >> address the issue? > > > Technically, yes, but I think we should mention that if > registry-to-registry communication is via mutually authenticated SSL, > requests and responses should not be signed. Agreed. I have replaced with following text: "9.2.7 Federations and Security Federated operations abide by the same security rules as standard operations against a single registry. However, federation operations often require registry-to-registry communication. Such communication is governed by the same security rules as a Registry Client to registry communication. The only difference is that the requesting registry plays the role of Registry Client. Such registry-to-registry communication SHOULD be conducted over a secure channel such as HTTP/S. Federation members SHOULD be part of the same SAML Federation if member registries implement the Registry SAML Profile described in chapter 11." Also added: 10.3.2.6 SOAP Message Security and HTTP/S When using HTTP/S between a Registry Client and a registry, SOAP message security MUST NOT be used. Specifically: * The Registry Client MUST NOT sign the request message or any repository items in the request. * The registry MUST NOT verify request or RepositoryItem signatures. * The registry MUST NOT sign the response message or any repository items in the response. * The Registry Client MUST NOT verify response or RepositoryItem signatures. Let me know if this is an adequate resolution of the issue. Thanks. > > -Matt > > To unsubscribe from this mailing list (and be removed from the roster > of the OASIS TC), go to > http://www.oasis-open.org/apps/org/workgroup/regrep/members/leave_workgroup.php. > > -- Regards, Farrukh
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]