OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

sca-policy message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [sca-policy] Issue 32

I think we should introduce a new intent called 'mutualAuthentication' to resolve the issue.

I don't read the existing intent the same way you do. To me, it reads such that it's all about clients authenticating to services. I'm not sure how to clarify the existing intent but it seems we need to.

Dave Booz
STSM, BPM and SCA Architecture
Co-Chair OASIS SCA-Policy TC and SCA-J TC
"Distributed objects first, then world hunger"
Poughkeepsie, NY (845)-435-6093 or 8-295-6093
e-mail:booz@us.ibm.com

Inactive hide details for ashok malhotra ---11/17/2008 03:22:18 PM---http://www.osoa.org/jira/browse/POLICY-32 The title of thiashok malhotra ---11/17/2008 03:22:18 PM---http://www.osoa.org/jira/browse/POLICY-32 The title of this issue is "Security intent which allows a


From:
ashok malhotra <ashok.malhotra@oracle.com>

To:
OASIS Policy <sca-policy@lists.oasis-open.org>

Date:
11/17/2008 03:22 PM

Subject:
[sca-policy] Issue 32




http://www.osoa.org/jira/browse/POLICY-32

The title of this issue is "Security intent which allows a client to
authenticate a server"
But let us look at the authentication intent which is currently in the
spec. Lines 1856-1859 in WD09:

*/authentication /*– the authentication intent is used to indicate that
a client must authenticate itself in order to use an SCA service.
Typically, the client security infrastructure is responsible for the
server authentication in order to guard against a "man in the middle"
attack.


I read this as saying that:


1. The server must always authenticate itself to the client.
2. If this intent is used it requires mutual authentication of the
client and server.


Thus, it seems to me, that the definition of the intent covers the issue
and we need not do anything
unless we want to cover the situation that the server is not
authenticated by the client. In that case, the default is no
authentication and we need two intents:

- One to cover the case where the client authenticates the server
- The second to cover the case where the client and server authenticate
each other (mutual authentication).


--
All the best, Ashok

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]