OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: NEW Issue: Guidance on Policy Application


PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL
THE ISSUE IS ASSIGNED A NUMBER.  
The issues coordinators will notify the list when that has occurred.

Protocol:  ws-sp 

http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/17889/ws
-securitypolicy-1.2-spec-ed-01-r06.pdf

Artifact:  spec

Type: philosophical 

Title:

Some people are unclear on the precise role to be played by
WS-SecurityPolicy. 

Description:

The only place in WS_SecurityPolicy which seems to address exactly what
WS-SP is supposed to be used for is section 1. Currently it says:

"WS-Policy defines a framework for allowing web services to express
their constraints and requirements. [...] This document takes the
approach of defining a base set of assertions that describe how messages
are to be secured. [...] The intent is to provide enough information for
compatibility and interoperability to be determined by web service
participants along with all information necessary to actually enable a
participant to engage in a secure exchange of messages."

This seems to leave a lot of questions unanswered. Is a consumer
required to use SP? Is SP suitable for expressing a Consumer's policy?
Does an SP represent an enforceable access control policy? Can a Web
Service reject messages which conform to its policy?

It seems to me desirable that the spec provide more specific guidance on
what is expected.


Proposed Resolution:

I suggest that we add to section 1 some additional text along these
lines.

----

The exact usage of security policies will depend on a variety of factors
and may differ from one deployment to another. Further, Consumers and
Services are likely to use information from a variety of sources other
than security policies to determine the details of security mechanisms
applied to particular messages.

However, in the absence of specific considerations to the contrary, it
is recommended that the following principles be followed.

1. The Consumer should construct messages which are consistent with the
policy advertised by the Service.

2. The Service should not reject messages based on the use of mechanisms
which conform to its advertised policies.
3. However, the Service may reject messages based on factors which are
not specified in its advertised policies.
4. The Service may also choose to accept messages which are inconsistent
with its advertised policies.

----

Hal

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]