Subject: RE: Proposal for i029 "Remove dependency on WS-Security"
Sorry, but the working group decided that this is an issue. Let's not spend time debating something we've already decided on. Moving on to your excerpt from the charter; "Efficient preservation of the integrity of reliable contexts by composition with WS-Security or other SOAP security mechanisms." The "preservation of the integrity of reliable contexts" part hints at certain threat(s) against the WS-RM sequence. To date I have not seen anyone other than myself (http://www.oasis-open.org/apps/org/workgroup/ws-rx/email/archives/20050 8/msg00206.html) present any descriptions of these threats. I'm somewhat baffled as to why the proponents of linking the WS-RM and WS-Security specifications together via an STR in the CreateSequence message haven't explained why this is necessary (to be clear, when I say "explain" I mean show us the threat model and describe to us how this counters the threat). Given the current lack of information on this subject, it appears that we are being asked to support a burdensome feature for no real benefit. The "composition with WS-Security or other SOAP security mechanisms" phrase is interesting. Given that there is no clear definition of what it means to "compose" one WS-* specification with another this phrase could mean almost anything. I take it to mean that we should provide exemplars of how WS-Security should be used to bind the Sequence header to the SOAP message body such that one cannot be separated from another. This measure counters a specific threat that I would be glad to discuss with you. I certainly don't read this phrase to mean that WS-RM must support a per-message authorization check against an STR that is provided during sequence creation. - g ________________________________ From: Marc Goodner [mailto:email@example.com] Sent: Wednesday, August 31, 2005 5:51 PM To: Gilbert Pilz; firstname.lastname@example.org Subject: Proposal for i029 "Remove dependency on WS-Security" This is not an issue. There is no reason we should remove the STR and the charter of this TC is clear that this is in our scope. Proposal: The WS-RX TC charter is clear, "Efficient preservation of the integrity of reliable contexts by composition with WS-Security or other SOAP security mechanisms." The specification currently provides such composition with WSS via the inclusion of the SecurityTokenReference in the CreateSequenceRequest as well as providing an extensibility point for other mechanisms. Removing this would be in direct conflict with the related scope statement in the charter, therefore this issue should be closed with no action.