OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp-interfaces message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Sun's answers to security questions

Please see inline. thanks


Rich Thompson wrote:
Considering the number of customer requests for interoperable security profiles and the lack of a standardized policy framework for negotiating a security profile to use for WSRP-related messages, the WSRP TC is seeking input about whether simple interim, interoperable profiles could be defined for the use case of multiple vendor's implementations being deployed within a single security domain in the mid-2006 timeframe.

1. The WSRP use case involves an intermediary (the WSRP Consumer) acting on behalf of an End-User when interacting with the web service provider (the WSRP Producer). As a result, there is an interest in transferring the identities of both the WSRP Consumer and the End-User to the WSRP Producer. This results in several questions:

1.a. Do you support the receipt of multiple identities (Consumer and End-User) on a SOAP message which can be separately queried by the provider application?
Do you support sending multiple identities?
No explicit support for multiple identities at this time.
End-user identity on the SOAP message/headers.
Consumer identity can be tackled via SSL client certificates.

1.b. What WS-Security tokens will be supported for transferring identities (e.g. UserName, SAML, Kerberos, Digital Signature, etc)?
UserName, SAML, Digital Signature, Liberty, others..  (some current, some future)

1.c. Would transferring the End-User identity via a WS-Security token and the Consumer identity via transport-level security be supported?

1.d. Any restrictions on how multiple identities can be attached to a particular SOAP message?
Not supported currently.

2. What security granularity is expected when transferring an identity (for example; portals often have a concept of user role that relates to the End-User's current use of the portal rather than their identity ... is the transfer of such attributes supported (e.g. via SAML attributes))?

Not currently, but exploring SAML attributes for future (not considered user role yet).

3. Is support for maintaining security contexts for multiple web service requests anticipated? If so, using what security technology (e.g. WS-SecureConversation)?

Not at this time.

4. Is automated configuration of all endpoints supported? If so, how are any particular inputs to the process indicated, supported, standardized and maintained?
Not at this time.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]