OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-dd message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [ws-dd] DPWS Security changes


Hi Elmar-

 

- Line 943: A DEVICE may support at most one security profile.
I think Antoine already raised this: Doesn't this prevent devices with both secure and unsecure services ?

 

Antoine raised a good point about the HOSTED SERVICE issue on our call earlier, and I’m open to relaxing that requirement, and to allow a secure DEVICE to have non-secure HOSTED SERVICEs.

 

- Line 1006: 7.6 DEVICE Behavior
Why is this section called device behavior

 

It’s the section that carries any DEVICE requirements that cannot be captured elsewhere.  I agree this is poorly organized, but I think that reorganizing Section 7 while trying to rewrite the requirements is too much churn for one Committee Draft.  If there is interest in doing an editorial-only reorganization of Section 7 after CD2, we can fix it then.

 

- Usage of IRI and URI in spec. This is not directly related to the security part. In some parts of the spec URIs are used and in other IRI. Should we change it to IRI for consistency ?

 

Some specs reference RFC 3986 (URI), and others reference RFC 3987 (IRI).  I am not familiar enough with the differences between these two specs to comment on whether they compose well together.  I have been following whatever convention is referenced in the underlying spec: in this case, WS-Addressing controls many of these values, and WS-Address v1.0 uses IRIs.

--D

 

 

From: Elmar Zeeb [mailto:elmar.zeeb@uni-rostock.de]
Sent: Monday, January 12, 2009 5:45 PM
To: Dan Driscoll
Cc: antoine.mensch@odonata.fr; ws-dd@lists.oasis-open.org
Subject: Re: [ws-dd] DPWS Security changes

 

Dan Driscoll schrieb:

Thanks for the feedback, Antoine!
 
I incorporated all changes except a few minor notes:
* One comment you had said that we should distinguish "DEVICE" by saying "DEVICEs that conform to this security profile."  If we did, I think we would have to change most (all?) instances in this section--I think it is far more effective to allow the composition text at the beginning make it clear: all of Section 7 is optional and must be applied in entirety.
* The case of an unsecure DEVICE and a secure HOSTED SERVICE is an unusual one, and in cases where it's used, I think we should classify that as a separate security profile entirely, instead of trying to accommodate it in this profile.
 
Everyone, please see the updated text.  You may reply with the original text, or this one--if you haven't yet started reviewing, please use the latest version.
  

I still didn't implement security, so this are the comments i found by simply reading the spec:

- Line 943: A DEVICE may support at most one security profile.
I think Antoine already raised this: Doesn't this prevent devices with both secure and unsecure services ?

- Line 1006: 7.6 DEVICE Behavior
Why is this section called device behavior

- Usage of IRI and URI in spec. This is not directly related to the security part. In some parts of the spec URIs are used and in other IRI. Should we change it to IRI for consistency ?

Elmar

 
Issues addressed in this draft:
032: Describe security composability
051: Generalize security
112: Remove WS-Security reference
113: Cleanup Network Model
114: Remove security negotiation
115: Replace R4070 with switches on HTTPS ID/xAddrs
138: Create introduction and concrete description of security profile
139: Remove protocol negotiation
140: Clean up HTTP Authentication
 
Thanks
--D
 
-----Original Message-----
From: Antoine Mensch [mailto:antoine.mensch@odonata.fr]
Sent: Monday, January 05, 2009 4:27 AM
To: ws-dd@lists.oasis-open.org
Subject: Re: [ws-dd] DPWS Security changes
 
Hi Dan and all,
 
Please find enclosed a version of the document annotated with comments.
As the comments author is lost when saving the doc, I have prefixed all my comments with AM. Besides minor editorial issues, I have two major concerns with the current version:
1) it does not really clarify the security model for HOSTED SERVICEs:
most requirements still refer to DEVICEs, although the spec mentions that control and eventing messages (that normally apply to HOSTED
SERVICEs) should use the Secure Channel established for the DEVICE. I think the intent is that HOSTED SERVICEs delegate the establishment the security association to the DEVICE and then use the secure channel established between DEVICE and CLIENT, but it should be made clearer in the spec.
2) The removal of requirements R4028 and R4069 adds uncertainty to the
spec: it becomes more difficult to understand with feature is optional and which one is mandatory. I think we should explicitly say that TLS with both server and client certificates is the preferred approach, but that HTTP Basic Authentication can be used as a mandatory minimal fallback mechanism when client certificates are not practically feasible.
 
Cheers
 
Antoine
 
Dan Driscoll a écrit :
  
Hi all-
 
Please see my proposed changes for the DPWS Security issues.  The
following issues are addressed in this proposal:
 
    * 032: Describe security composability
    * 112: Remove WS-Security reference
    * 113: Cleanup Network Model
    * 114: Remove security negotiation
    * 115: Replace R4070 with switches on HTTPS ID/xAddrs
    * 138: Create introduction and concrete description of security
      profile
    * 139: Remove protocol negotiation
    * 140: Clean up HTTP Authentication
 
 
 
Note that although change tracking is enabled, the document is much
easier to read with tracking disabled.
 
 
 
Thanks
 
--D
 
----------------------------------------------------------------------
--
 
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
----------------------------------------------------------------------
--
 
 
No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.10.2/1872 - Release Date:
02/01/2009 13:10
 
    
> 
 


 
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 




-- 
*******************************************************************************
  Dipl.-Inf. Elmar Zeeb
  Universität Rostock, Fakultät f. Informatik und Elektrotechnik
  Institut f. Angewandte Mikroelektronik und Datentechnik
  University of Rostock, Faculty of CS and EE
  Institute of Applied Microelectronics and Computer Engineering,
  18051 Rostock
  Deutschland/Germany
  Tel. : ++49 (0)381 498 - 7262
  Fax  : ++49 (0)381 498 - 7252
  Email: elmar.zeeb@uni-rostock.de
  www  : http://www.imd.uni-rostock.de/, http://www.ws4d.org/
*******************************************************************************


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]