wsbpel message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: issue 291 - proposal to vote
- From: Diane Jordan <drj@us.ibm.com>
- To: wsbpel@lists.oasis-open.org
- Date: Thu, 20 Jul 2006 17:57:25 -0400
This is the motion that was seconded
and then changed with friendly amendments on the call on July 19 before
we ran out of time.
Change the wording in the security section
to read:
Although WS-BPEL is inherently binding
neutral it is strongly recommended that business process implementations
use WS-Security when using a binding where messages may be modified or
forged. WS-Security provides mechanisms to ensure messages have not
been modified or forged while in transit or while residing at destinations.
Similarly, invalid or expired messages could be re-used or message
headers not specifically associated with the specific message could be
referenced. Consequently, when using WS-Security, signatures should include
the semantically significant headers and the message body (as well as any
other relevant data) so that they cannot be independently separated and
re-used.
Messaging protocols used to communicate among business processes are subject
to various forms of replay attacks. In addition to the mechanisms listed
above, messages should include a message timestamp (as described in WS-Security)
within the signature. Recipients can use the timestamp information to cache
the most recent messages for a business process and detect duplicate transmissions
and prevent potential replay attacks.
It should also be noted that business process implementations are subject
to various forms of denial-of-service attacks. Implementers of business
process execution systems compliant with this specification should take
this into account.
And change text in the notation section
to read: The upper case keywords "MUST", "MUST NOT",
"REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
in this document are to be interpreted as described in [RFC 2119].
We will resume discussion of this on
the July 26 call.
Regards, Diane
IBM Emerging Internet Software Standards
drj@us.ibm.com
(919)254-7221 or 8-444-7221, Mobile: 919-624-5123, Fax 845-491-5709
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]