RE: [ws-sx] Issue 76: How to reference a specific SC when initiating a session?

["Raepple, Martin" <martin.raepple@sap.com>]

Prateek,

actually your proposal is not specific to SC since you want an
STR to contain the URI value which can reference any token type.

But even if there is this mechanism used to point to 
a specific token in a message, it is still the responsibility of the
(higher level) protocols to define the semantics of the URI value(s),
right?

- Martin

>-----Original Message-----
>From: Prateek Mishra [mailto:prateek.mishra@oracle.com] 
>Sent: Mittwoch, 21. Juni 2006 16:59
>To: Raepple, Martin
>Cc: ws-sx@lists.oasis-open.org
>Subject: Re: [ws-sx] Issue 76: How to reference a specific SC 
>when initiating a session?
>
>Martin,
>
>I agree that applications will define their own specialized protocols, 
>including some that will involve security. 
>However, it is reasonable to ask the question whether there are (1) 
>extension points in the generic security infrastructure,
>(2) advice on how such extension is to be achieved.
>
>Notice that the question I have raised is a very limited one. It makes 
>NO reference to any specifics of the RM work.
>It only asks: do we have a mechanism that allows us to "point" to a 
>specific security token  in a specific message.
>
>- prateek
>
>>
>>I think SC is not about defining the semantics for a session, sequence
>>etc. From my understanding, SC's scope is to define the (token) format
>>for a shared security context and the protocol messages to 
>manage such a
>>context. Anything beyond this will be/is defined by other specs.
>>
>>Even though SC defines a lifecycle for a context, this is still
>>independent of any higher level session/sequence semantics. In other
>>words, protocols like Reliable Messaging (RM) that define these
>>semantics can definitly take adventage of the generic context 
>mechanisms
>>defined by SC, but there is always a non-generic part wrt 
>security that
>>is specific to these higher-level protocols which should be 
>specified by
>>the corresponding TCs. A session/(coordination)context/sequence has
>>special security requirements due to different semantics and I doubt
>>that we can find a common denominator in the SX TC.
>>
>>Best regards
>>Martin
>>
>>Martin Raepple
>>Platform Ecosystem Industry Standards 
>>SAP AG 
>>Dietmar-Hopp-Allee 16 
>>69190 Walldorf, Germany 
>>T  +49/6227/7-60365 
>>F  +49/6227/78-44724 
>>mailto: martin.raepple@sap.com 
>>http://www.sap.com
>> 
>>
>>  
>>
>>>-----Original Message-----
>>>From: Marc Goodner [mailto:mgoodner@microsoft.com] 
>>>Sent: Dienstag, 20. Juni 2006 17:23
>>>To: Prateek Mishra; ws-sx@lists.oasis-open.org
>>>Subject: [ws-sx] Issue 76: How to reference a specific SC when 
>>>initiating a session?
>>>
>>>Tracked as Issue 76.
>>>
>>>-----Original Message-----
>>>From: Prateek Mishra [mailto:prateek.mishra@oracle.com] 
>>>Sent: Tuesday, June 20, 2006 11:12 AM
>>>To: ws-sx@lists.oasis-open.org
>>>Cc: Marc Goodner
>>>Subject: NEW ISSUE: How to reference a specific SC when initiating a
>>>session?
>>>
>>>*PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON 
>THREAD UNTIL
>>>THE ISSUE IS ASSIGNED A NUMBER.  *
>>>
>>>*The issues coordinators will notify the list when that has 
>occurred.*
>>>
>>>* *
>>>
>>>Protocol:   ws-sc
>>>
>>>http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php
>>>/18838/ws
>>>-secureconversation-1.3-spec-ed-01-r06-diff.doc 
>>>
>>>
>>>
>>>
>>>Artifact:  spec
>>>
>>>
>>>
>>>Type:
>>>
>>>design
>>>
>>>
>>>
>>>Title:
>>>
>>>NEW ISSUE: How to reference a specific SC when initiating a session?
>>>
>>>
>>>
>>>Description:
>>>
>>>This issue concerns the following use-case: a requestor wishes to
>>>participate in a multi-message session with a recipient. 
>>>The requestor  acquires a SC token by some means from its 
>>>local security
>>>system and adds it to the security header of a SOAP message. 
>>>The SOAP message is meant to initiate a sequence of 
>exchanges with the
>>>recipient, all of which are to be protected by the SC token. 
>>>Notice that
>>>in general, the SOAP message may carry several security headers
>>>including other security tokens.
>>>
>>>How can the requestor indicate to the recipient that a 
>>>specific SC token
>>>is to be used for the session?
>>>
>>>
>>>
>>>Related issues:
>>>
>>>http://lists.oasis-open.org/archives/ws-rx/200606/msg00036.html
>>>
>>>
>>>
>>>Proposed Resolution:
>>>
>>>My best guess here is that the requestor add a new STR to 
>the header. 
>>>The STR would include a reference to the SC and include in its usage
>>>attribute a URI referencing the message body. If this is 
>acceptable to
>>>the TC, we need to include some text explaining this "security 
>>>pattern".
>>>
>>>    
>>>
>>>
>>  
>>
>
>
>