Re: [ws-sx] Issue 48: Revised proposal

[Anthony Nadalin <drsecure@us.ibm.com>]

I think that we should just make a general statement which would be along the lines of:

Assertions MAY only apply to one [Policy Subject].

and then have the change in the specific assertion changed to:

This assertion SHOULD apply to [Endpoint Policy Subject].


Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Tony Gullotta" <tony.gullotta@soa.com>

"Tony Gullotta" <tony.gullotta@soa.com>

04/12/2006 01:24 PM

To	<ws-sx@lists.oasis-open.org>
cc
Subject	[ws-sx] Issue 48: Revised proposal

I have refined my initial proposal based on discussions at the F2F. To avoid the complexities of defining special rules for merging multiple binding assertions I propose that binding assertions should apply to either the endpoint or the operation, but not both. I've included some proposed text based on the ws-securitypolicy spec version http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/16289/ws-securitypolicy-1.2-spec-ed-01-r04.pdf.

Section 7.4 lines 1529 - 1530 should be changed from:

This assertion MUST apply to [Endpoint Policy Subject].

to:

This assertion SHOULD apply to [Endpoint Policy Subject]. This assertion MAY apply to [Operation Policy Subject]. If this assertion is applied to [Operation Policy Subject] it MUST NOT also be applied to [Endpoint Policy Subject].

Section 7.5 lines 1606 - 1607 should be changed from:

This assertion MUST apply to [Endpoint Policy Subject].

to:

This assertion SHOULD apply to [Endpoint Policy Subject]. This assertion MAY apply to [Operation Policy Subject]. If this assertion is applied to [Operation Policy Subject] it MUST NOT also be applied to [Endpoint Policy Subject].

The following should be added after line 2201 in Appendix A:

A.2.2 Security Binding Assertions

SymmetricBindingAssertion (8.4)
AsymmetricBindingAssertion (8.5)