RE: [ws-rx] Amendment to Microsoft/IBM proposal for i122-i124

["Gilbert Pilz" <Gilbert.Pilz@bea.com>]

Attached is a revised version of our amendment that addresses your
concerns about forcing the selection of a security mechanism. Basically
the meaning of the assertion has been changed from "you must bind the RM
Sequence to an SSL/TLS session" to "you must bind the RM Sequence to the
session of the underlying transport-level security protocol" thus
leaving the selection of that protocol up to WS-SP.

The really big change is from this:

"This assertion MUST only occur in conjunction with the
<wsrmp:RMAssertion/> and a <sp:TransportBinding> assertion that
specifies the use of SSL/TLS."

to this:

"This assertion is effectively meaningless unless it occurs in
conjunction with the wsrmp:RMAssertion and a sp:TransportBinding
assertion that requires the use of some transport-level security
mechanism (e.g. sp:HttpsToken)."

- gp

> -----Original Message-----
> From: Marc Goodner [mailto:mgoodner@microsoft.com] 
> Sent: Wednesday, July 12, 2006 11:39 AM
> To: Gilbert Pilz; ws-rx@lists.oasis-open.org
> Subject: RE: [ws-rx] Amendment to Microsoft/IBM proposal for i122-i124
> 
> The new header you propose seems fine. I am concerned that 
> specifying an assertion like SequenceSSL steps into the SP 
> domain by making the selection of the security mechanism. 
> Tagging that an STR will be present does not as all of the 
> specific security mechanisms are left to SP itself. 
> 
> -----Original Message-----
> From: Gilbert Pilz [mailto:Gilbert.Pilz@bea.com]
> Sent: Monday, July 10, 2006 10:28 PM
> To: ws-rx@lists.oasis-open.org
> Subject: [ws-rx] Amendment to Microsoft/IBM proposal for i122-i124
> 
> I would like to propose the attached amendment to the 
> Microsoft/IBM proposal. This material is presented as a set 
> of additions and changes to the version of the Microsoft/IBM 
> proposal posted here:
> http://lists.oasis-open.org/archives/ws-rx/200607/msg00036.html
> 
> This amendment seeks to accomplish the following:
> 
> 1.) Support the use of SSL/TLS to protect Sequences against 
> spoofing attacks.
> 
> 2.) Render (1) in a way that does not require implementations 
> to understand STR's and their various referencing mechanisms, 
> processing rules, etc.
> 
> 2.) Define a WS-Policy assertion that specifies a requirement 
> to bind Sequences to SSL/TLS sessions.
> 
> - gp
> 
> p.s. The general notion of this amendment could also apply to 
> the Oracle/SAP proposal posted here
> (http://lists.oasis-open.org/archives/ws-rx/200607/msg00054.html)
> though, obviously, the specific wording would have to change.
> 
>

Securing RM Sequences - BEA ammend - 120706.doc