[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue 32 revisited
Rich and I had a long talk about this and Rich unearthed some history. On Oct 22, 2007 Kaanu Joshi gave a number to this issue and said: This is a requirement that was levied from the OSOA bindings WG: SCA Policy should define an intent which enables a client to request that a server authenticate itself to the client, so that the client knows it can trust the server. See http://lists.oasis-open.org/archives/sca-policy/200710/msg00083.html The "authentication" intent that is currently defined in the spec says */authentication /*– the authentication intent is used to indicate that a client must authenticate itself in order to use an SCA service. Typically, the client security infrastructure is responsible for the server authentication in order to guard against a "man in the middle" attack. Rich and I read this to mean: the client always authenticates itself to the server and the server MAY authenticate itself to the client, although, we admit, that the MAY is our interpretation of the words and others may read them differently. So, it seems to us that if we tighten up the wording to say that the server MUST authenticate itself to the client then we have mutual authentication, which is what the issue asks for. But let's go another step. Consider a situation where a service and reference are wired together and both sides require the authentication intent. To me, this means that the server authenticates itself to the client and the client authenticates to the server, These seem like different policies and so the policies would not match even though the intents match. This may be a WS-Policy problem not a SCA problem -- All the best, Ashok
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]