OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-dd message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [ws-dd] DPWS Security changes


Hi Dan and all,

Please find enclosed a version of the document annotated with comments. 
As the comments author is lost when saving the doc, I have prefixed all 
my comments with AM. Besides minor editorial issues, I have two major 
concerns with the current version:
1) it does not really clarify the security model for HOSTED SERVICEs: 
most requirements still refer to DEVICEs, although the spec mentions 
that control and eventing messages (that normally apply to HOSTED 
SERVICEs) should use the Secure Channel established for the DEVICE. I 
think the intent is that HOSTED SERVICEs delegate the establishment the 
security association to the DEVICE and then use the secure channel 
established between DEVICE and CLIENT, but it should be made clearer in 
the spec.
2) The removal of requirements R4028 and R4069 adds uncertainty to the 
spec: it becomes more difficult to understand with feature is optional 
and which one is mandatory. I think we should explicitly say that TLS 
with both server and client certificates is the preferred approach, but 
that HTTP Basic Authentication can be used as a mandatory minimal 
fallback mechanism when client certificates are not practically feasible.

Cheers

Antoine

Dan Driscoll a crit :
>
> Hi all-
>
> Please see my proposed changes for the DPWS Security issues.  The 
> following issues are addressed in this proposal:
>
>     * 032: Describe security composability
>     * 112: Remove WS-Security reference
>     * 113: Cleanup Network Model
>     * 114: Remove security negotiation
>     * 115: Replace R4070 with switches on HTTPS ID/xAddrs
>     * 138: Create introduction and concrete description of security
>       profile
>     * 139: Remove protocol negotiation
>     * 140: Clean up HTTP Authentication
>
>  
>
> Note that although change tracking is enabled, the document is much 
> easier to read with tracking disabled.
>
>  
>
> Thanks
>
> --D
>
> ------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com 
> Version: 8.0.176 / Virus Database: 270.10.2/1872 - Release Date: 02/01/2009 13:10
>
>   

wsdd-dpws-1.1-spec-wd-03-security-am.docx



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]