That’s a good point—Section 7 is one big security profile, and behavioral
recommendations made in other sections should not be contingent upon which
security profile is active.
The goal of this text is to prevent implementers from mixing and
matching security profiles. Whether it supports “at most one profile” or “exactly
one profile” depends on whether you consider an unsecured device to be
implementing the profile of no security, or to be implementing no security
profile at all.
It’s probably clearer to say that the device may support at most
one profile.
--D
From: Anthony Nadalin
[mailto:drsecure@us.ibm.com]
Sent: Wednesday, December 31, 2008 7:30 AM
To: Dan Driscoll
Cc: Ram Jeyaraman; ws-dd@lists.oasis-open.org
Subject: Re: [ws-dd] RE: Issue 032 - DPWS - clarify behavior when a
device contains secure and insecure services at the same time
>is defined by
the transport addresses of the DEVICE: HTTP transport addresses indicate the
device supports no security, and HTTPS transport addresses >indicate the
device supports the security profile defined in this section.
>
>A DEVICE may
exclusively support only one security profile at a time, including the profile
defined in this section, or no security profile whatsoever.
I think that this is confusing, as no security should mean NO security profile.
There is no default profile I assume. I also assume that we are defining a TLS
and a HTTPS profile for now and will be looking at a WS-Security profile
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Dan Driscoll ---12/22/2008 10:05:06 AM---Currently issue
32 is marked pending, but I’ll mail out the text separately since we have an AI
on this issue.
|
|
|
|
|
|
|
|
|
|
|
|
Currently issue
32 is marked pending, but I’ll mail out the text separately since we have an AI
on this issue.
Proposed updated
text:
7
Security
This
section defines a RECOMMENDED baseline for interoperable security between a
DEVICE and a CLIENT. A DEVICE (or CLIENT) is free to support other security
mechanisms in addition to, or in place of, this mechanism as specified by WSDL [WSDL 1.1], policies [WS-Policy], or by
other mechanisms
means.
In the absence of an explicit
indication stating that a different security mechanism is to be used, the
default security mechanism defined here is assumed
to apply is defined by the transport
addresses of the DEVICE: HTTP transport addresses indicate the device supports
no security, and HTTPS transport addresses indicate the device supports the
security profile defined in this section.
A DEVICE may
exclusively support only one security profile at a time, including the profile
defined in this section, or no security profile whatsoever.
This informative text will be
supported by normative statements about the concrete minimum security model.
From: Ram Jeyaraman [mailto:Ram.Jeyaraman@microsoft.com]
Sent: Wednesday, September 17, 2008 10:27 AM
To: ws-dd@lists.oasis-open.org
Subject: [ws-dd] Issue 032 - DPWS - clarify behavior when a device contains
secure and insecure services at the same time
This issue is assigned the number 032. For
further discussions on this issue, please refer to this issue number or use
this thread.
From: Alain Regnier [mailto:alain@ricoh-tech.com]
Sent: Tuesday, September 16, 2008 11:15 PM
To: Ram Jeyaraman
Subject: NEW Issue - clarify behavior when a device contains secure and
insecure services at the same time
Please defer discussions on
this issue until a time this issue is accepted and is assigned a number.
Description:
Clarify behavior regarding hosting
secure and insecure services on the same device.
Proposed Resolution:
Discuss and clarify, then add
constraints.