[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ws-rx] FW: Preference for STR-based solution to identifying Tokenused to protect a RM Sequence
Gilbert Pilz wrote: >Forwarded from Hal . > I have a few questions on this email below Tom Rutt > . > > > >>-----Original Message----- >>From: Hal Lockhart >>Sent: Wednesday, July 12, 2006 5:14 PM >>To: Gilbert Pilz >>Subject: Preference for STR-based solution to identifying >>Token used to protect a RM Sequence >> >>Having looked at the latest proposal from Oracle, using the >>usage label, as well as their slide deck relating to >>implementation issues, I still believe the STR-based approach >>proposed by IBM & MSFT, is superior. >> >>1. The STR approach will not require that existing WSS logic >>be altered. >> >>2. The STR approach allows a variant of the same solution to >>be used when a Security header is not present, i.e. when >>SSL/TLS is used. >> >> Gil's proposal for this works with either Oracle or Msoft approach, I am confused about this statment. >>3. The usage label approach in my view entangles the >>processing of the security and RM layers, whereas the STR >>approach permits cleaner layering. In particular, the >>Security layer will have to know what portions of the message >>constitute an RM sequence and thus require protection. >> >> After the sequence is set up, I see both proposals as being identical. How can the security layer not get involved in both approaches for determining which sequence a message is part of? >>4. I don't believe the usage label approach can easily handle >>multiple services, sequences and tokens without introducing >>additional ad hoc rules. >> >>The slides provided Oracle presume a particular and in my >>view peculiar implementation. In particular the logic to >>handle signatures protecting RM sequences will be different >>from that of applications and other services using >>signatures. The analysis only shows one step (create >>sequence) in the entire process, omitting steps such as >>secure conversation setup and sequence transmission. As >>mentioned above, it appears that the security layer will be >>required to identify what elements must be protected when >>transmitting a sequence. >> >>I acknowledge that the STR-based approach requires making use >>of the schema defining the STR, but I expect this to be >>stable and widely known and thus able to be used in a >>"canned" way. Thus I am not concerned about this issue. >> >>Hal >> >> > > > -- ---------------------------------------------------- Tom Rutt email: tom@coastin.com; trutt@us.fujitsu.com Tel: +1 732 801 5744 Fax: +1 732 774 5133
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]