[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-rx] Amendment to Microsoft/IBM proposal for i122-i124
Yes, I agree. - gp > -----Original Message----- > From: Raepple, Martin [mailto:martin.raepple@sap.com] > Sent: Wednesday, July 12, 2006 3:28 PM > To: Gilbert Pilz; ws-rx@lists.oasis-open.org > Subject: RE: [ws-rx] Amendment to Microsoft/IBM proposal for i122-i124 > > Even with these updates, we believe that BEA's proposal for > addressing SSL/TLS composes with the Oracle-SAP proposal. > Gil, do you agree? > > - Martin > > >-----Original Message----- > >From: Gilbert Pilz [mailto:Gilbert.Pilz@bea.com] > >Sent: Mittwoch, 12. Juli 2006 22:48 > >To: Marc Goodner; ws-rx@lists.oasis-open.org > >Subject: RE: [ws-rx] Amendment to Microsoft/IBM proposal for > i122-i124 > > > >Attached is a revised version of our amendment that addresses your > >concerns about forcing the selection of a security > mechanism. Basically > >the meaning of the assertion has been changed from "you must > bind the > >RM Sequence to an SSL/TLS session" to "you must bind the RM > Sequence to > >the session of the underlying transport-level security > protocol" thus > >leaving the selection of that protocol up to WS-SP. > > > >The really big change is from this: > > > >"This assertion MUST only occur in conjunction with the > ><wsrmp:RMAssertion/> and a <sp:TransportBinding> assertion that > >specifies the use of SSL/TLS." > > > >to this: > > > >"This assertion is effectively meaningless unless it occurs in > >conjunction with the wsrmp:RMAssertion and a sp:TransportBinding > >assertion that requires the use of some transport-level security > >mechanism (e.g. sp:HttpsToken)." > > > >- gp > > > >> -----Original Message----- > >> From: Marc Goodner [mailto:mgoodner@microsoft.com] > >> Sent: Wednesday, July 12, 2006 11:39 AM > >> To: Gilbert Pilz; ws-rx@lists.oasis-open.org > >> Subject: RE: [ws-rx] Amendment to Microsoft/IBM proposal for > >i122-i124 > >> > >> The new header you propose seems fine. I am concerned that > specifying > >> an assertion like SequenceSSL steps into the SP domain by > making the > >> selection of the security mechanism. > >> Tagging that an STR will be present does not as all of the > specific > >> security mechanisms are left to SP itself. > >> > >> -----Original Message----- > >> From: Gilbert Pilz [mailto:Gilbert.Pilz@bea.com] > >> Sent: Monday, July 10, 2006 10:28 PM > >> To: ws-rx@lists.oasis-open.org > >> Subject: [ws-rx] Amendment to Microsoft/IBM proposal for i122-i124 > >> > >> I would like to propose the attached amendment to the > Microsoft/IBM > >> proposal. This material is presented as a set of additions and > >> changes to the version of the Microsoft/IBM proposal posted here: > >> http://lists.oasis-open.org/archives/ws-rx/200607/msg00036.html > >> > >> This amendment seeks to accomplish the following: > >> > >> 1.) Support the use of SSL/TLS to protect Sequences > against spoofing > >> attacks. > >> > >> 2.) Render (1) in a way that does not require implementations to > >> understand STR's and their various referencing mechanisms, > processing > >> rules, etc. > >> > >> 2.) Define a WS-Policy assertion that specifies a > requirement to bind > >> Sequences to SSL/TLS sessions. > >> > >> - gp > >> > >> p.s. The general notion of this amendment could also apply to the > >> Oracle/SAP proposal posted here > >> (http://lists.oasis-open.org/archives/ws-rx/200607/msg00054.html) > >> though, obviously, the specific wording would have to change. > >> > >> > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]