OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wsbpel message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: issue 291 - final resolution

This is the wording that was approved on the call today for issue 291 including a couple amendments:  

Change the wording in the security section to read:
Although WS-BPEL is inherently binding neutral it is strongly recommended that business process implementations use WS-Security when using a binding where messages may be modified or forged.  WS-Security provides mechanisms to ensure messages have not been modified or forged while in transit or while residing at destinations.   Similarly, there are mechanisms to prevent invalid or expired messages from being re-used or message headers not specifically associated with the specific message being referenced.  Consequently, when using WS-Security, signatures should include the semantically significant headers and the message body (as well as any other relevant data) so that they cannot be independently separated and re-used.

Messaging protocols used to communicate among business processes are subject to various forms of replay attacks. In addition to the mechanisms listed above, messages should include a message timestamp (as described in WS-Security) within the signature. Recipients can use the timestamp information to cache the most recent messages for a business process and detect duplicate transmissions and prevent potential replay attacks.

It should also be noted that business process implementations are subject to various forms of denial-of-service attacks. Implementers of business process execution systems compliant with this specification should take this into account.

And change text in the notation section to read:  The upper case keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119].

Regards, Diane
IBM  Emerging Internet Software Standards
(919)254-7221 or 8-444-7221, Mobile: 919-624-5123, Fax 845-491-5709

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]