[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue 32
http://www.osoa.org/jira/browse/POLICY-32 The title of this issue is "Security intent which allows a client to authenticate a server" But let us look at the authentication intent which is currently in the spec. Lines 1856-1859 in WD09: */authentication /*– the authentication intent is used to indicate that a client must authenticate itself in order to use an SCA service. Typically, the client security infrastructure is responsible for the server authentication in order to guard against a "man in the middle" attack. I read this as saying that: 1. The server must always authenticate itself to the client. 2. If this intent is used it requires mutual authentication of the client and server. Thus, it seems to me, that the definition of the intent covers the issue and we need not do anything unless we want to cover the situation that the server is not authenticated by the client. In that case, the default is no authentication and we need two intents: - One to cover the case where the client authenticates the server - The second to cover the case where the client and server authenticate each other (mutual authentication). -- All the best, Ashok
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]