[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: NEW ISSUE on use of Non normative references
I just reviewed the specs again, and I want to raise a new issue on the use of non-normative references. This applies to three specs: serviceGroups, ResourceProperties, and ResourceLifetime. the new issue is attached as HTML. Tom Rutt Fujitsu -- ---------------------------------------------------- Tom Rutt email: tom@coastin.com; trutt@us.fujitsu.com Tel: +1 732 801 5744 Fax: +1 732 774 5133Title: Wsrf ws-service Group
NEW ISSUE: Title: Use of Non-normative references 1 Use of
Non-normative references in WS-serviceGroups Section 10 has the following Non-normative references: [WS-AtomicTransaction] http://www.ibm.com/developerworks/webservices/library/ws-atomtran/ [WS-Policy] http://www.ibm.com/developerworks/library/ws-policy [WS-ReliableMessaging] http://www.ibm.com/developerworks/webservices/library/ws-rm/ [WS-SecureConversation] http://www.ibm.com/developerworks/library/ws-secon/ [WS-SecurityPolicy] http://www.ibm.com/developerworks/library/ws-secpol/ [WS-Trust] http://www.ibm.com/developerworks/library/specification/ws-trust/ The reference to WS-AtomicTransaction is not used anywhere in the spec. Section 9.1 Proposed Changes: a) First In the event that a requestor communicates frequently with a Web service to access resource properties, either directly through a query or accomplished through notification of state change, it is RECOMMENDED that a security context be established using mechanisms like those described in WS-Trust [WS-Trust] and WS-SecureConversation [WS-SecureConversation] allowing for potentially more efficient means of authentication. Summary: Unnecessary as Non-Normative reference Proposed change: Delete sentence. b) Fourth The security context MAY be re-established using the mechanisms described in WS-Trust and WS-SecureConversation. Similarly, secrets can be exchanged using the mechanisms described in WS-Trust. Note, however, that the current shared secret SHOULD NOT be used to encrypt the new shared secret. Derived keys, the preferred solution from this list, can be specified using the mechanisms described in WS-SecureConversation. Summary: Unnecessary as Non-Normative reference Proposed change: Delete Fourth Para. c) Third bullet: · Key integrity Key integrity is maintained by using the strongest algorithms possible (by comparing secured policies see WS-Policy [WS-Policy] and WS-SecurityPolicy [WS-SecurityPolicy]). Summary: Unnecessary as Non-normative reference Proposed change: Delete see WS-Policy [WS-Policy] and WS-SecurityPolicy [WS-SecurityPolicy]) d) Fourth bullet: · Authentication Authentication is established using the mechanisms described in WS-Security and WS-Trust. Each message is authenticated using the mechanisms described in WS-Security. Summary: Unnecessary as Non-normative reference Proposed change: Delete and WS-Trust e) Last bullet: · Replay Messages may be replayed for a variety of reasons. To detect and eliminate this attack, mechanisms should be used to identify replayed messages such as the timestamp/nonce outlined in WS-Security and the sequences outlined in WS-ReliableMessaging [WS-ReliableMessaging]. Summary: WS-ReliableMessaging is not on a standards track. OASIS Standard WS-Reliability has a MessageID (which includes a group ID and an optional sequence number) for this same purpose. Since this is an OASIS standard, the non-normative reference should be changed to WS-Reliability. Proposed change: replace: the sequences outlined in WS-ReliableMessaging [WS-ReliableMessaging] with:: the GroupId and Sequence number outlined in WS-Reliability [WS-Reliability] Ws-ServiceGroups Section 10 proposed changes: f) Delete the following references: [WS-AtomicTransaction] http://www.ibm.com/developerworks/webservices/library/ws-atomtran/ [WS-Policy] http://www.ibm.com/developerworks/library/ws-policy [WS-SecureConversation] http://www.ibm.com/developerworks/library/ws-secon/ [WS-SecurityPolicy] http://www.ibm.com/developerworks/library/ws-secpol/ [WS-Trust] http://www.ibm.com/developerworks/library/specification/ws-trust/ g) Replace: [WS-ReliableMessaging] http://www.ibm.com/developerworks/webservices/library/ws-rm/ With: [WS-Reliability] http://docs.oasis-open.org/wsrm/2004/06/WS-Reliability-CD1.086.pdf 2
- Use of non-normative references in WS-ResourceProperties: Section 9.2 contains the following Non normative References: [WS-AtomicTransaction] http://www.ibm.com/developerworks/webservices/library/ws-atomtran/ [WS-Policy] http://www-106.ibm.com/developerworks/library/specification/ws-polfram/ [WS-ReliableMessaging] http://www.ibm.com/developerworks/webservices/library/ws-rm/ [WS-SecureConversation] http://www-106.ibm.com/developerworks/library/specification/ws-secon/ [WS-Security] http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf [WS-SecurityPolicy] http://www-106.ibm.com/developerworks/webservices/library/ws-secpol/ [WS-Trust] http://www-106.ibm.com/developerworks/webservices/library/specification/ws-trust/ a) ResourceProperties Section 7 First two Sentences: The ability to associate a transactional recovery policy to the execution of a Web service message exchange is a quality of service the designer would compose into the definition of a WS-Resource. Example specifications of such behavior include the Web Services Atomic Transaction specification [WS-AtomicTransaction] or the work of the OASIS WS-Composite Application Framework TC [WS-CAF]. Summary: Unnecessary non normative reference Proposed change: delete the Web Services Atomic Transaction specification [WS-AtomicTransaction] or b) ResourceProperties Section 8.1: Identical text to that in section 9.1 of ws-Service Group. Summary: Unnecessary as non normative references Proposed Changes: same as proposals a) thru e) for ws-ServiceGroup ResourceProperties Section 9.2 proposed changes: c) Delete the following references: [WS-AtomicTransaction] http://www.ibm.com/developerworks/webservices/library/ws-atomtran/ [WS-Policy] http://www.ibm.com/developerworks/library/ws-policy [WS-SecureConversation] http://www.ibm.com/developerworks/library/ws-secon/ [WS-SecurityPolicy] http://www.ibm.com/developerworks/library/ws-secpol/ [WS-Trust] http://www.ibm.com/developerworks/library/specification/ws-trust/ d) Replace: [WS-ReliableMessaging] http://www.ibm.com/developerworks/webservices/library/ws-rm/ With: [WS-Reliability] http://docs.oasis-open.org/wsrm/2004/06/WS-Reliability-CD1.086.pdf 3
- Use of non-normative references in WS-ResourceLifetime: Resource Lifetime section 8 contains the following references: [WS-SecureConversation] http://www-106.ibm.com/developerworks/library/ws-secon/ [WS-Trust] http://www-106.ibm.com/developerworks/library/ws-trust/ ResourceLifetime Section 7.1: Identical text to that in section 9.1 of ws-Service Group. Summary: Unnecessary as non normative references Proposed Changes: same as propossls a) thru e) for ws-ServiceGroup Resource Lifetime Section 8 proposed changes: Delete: [WS-SecureConversation] http://www-106.ibm.com/developerworks/library/ws-secon/ [WS-Trust] http://www-106.ibm.com/developerworks/library/ws-trust/ |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]