[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [soa-rm-ra] Follow-up to 7-5-08 Telecom
Hi Michael, I think I'd like to rearrange the words a bit more. The RM states <RM> The execution context of a service interaction is the set of infrastructure elements, process entities, policy assertions and agreements that are identified as part of an instantiated service interaction, and thus forms a path between those with needs and those with capabilities. As discussed in previous sections of this document, the service description (and a corresponding description associated with the service consumer and its needs) contains information that can include preferred protocols, semantics, policies and other conditions and assumptions that describe how a service can and may be used. The participants (providers, consumers, and any third parties as noted below) must agree and acknowledge a consistent set of agreements in order to have a successful service interaction, i.e. realizing the described real world effects. The execution context is the collection of this consistent set of agreements. </RM> So part of the execution context will likely be the security policies in effect for the interaction. Mechanisms must be available to monitor conditions and use the collected metrics as needed to evaluate policy compliance, and there should also be mechanisms for policy enforcement based on the evaluations. If there are alternative methods for compliance evaluation or enforcement, the execution would include agreements on the mechanisms to use, either decided real-time or documented from prior agreements. The policies will elaborate on the expected level of protection of confidentiality and integrity of message exchanges and on what may be required in the way of support for security between different communication technologies; the execution context will enumerate which policies are in effect. The SOA infrastructure will likely provide centralized or decentralized policy-based identification, authentication, and authorization; the execution context may specify which of these should be used for the interaction. Availability and scalability are more general requirements of the security infrastructure and are probably not included in the execution context because they are properties of the implemented system and not the interaction using the system. So after a lengthy public thought process, I'd suggest The mechanisms through which SOA security will be evaluated and enforced should: * [5 existing bullets] * be consistent with the agreements specified in the execution context for the interaction. Ken On May 8, 2008, at 6:03 AM, michael.poulin@uk.fid-intl.com wrote:
------------------------------------------------------------------------------------------ Ken Laskey MITRE Corporation, M/S H305 phone: 703-983-7934 7515 Colshire Drive fax: 703-983-1379 McLean VA 22102-7508 |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]