RE: [wsrp] EventDescription.requiresSecureDistribution

[Andre Kramer <andre.kramer@eu.citrix.com>]

A producer that wishes to return an event securely can not publish a http binding (i.e. only an https binding so that SOAP responses are secured) if transport level security is to be used, or use message level security for responses. Given we start from this position, is it not more a question of the producer possibly granting the consumer the right to forward an event on a less secure channel? How useful is such a feature as opposed to just mandating that a securely returned event be always forwarded securely? I think the end goal should be for end to end security to be used to secure the event payload so do we really need these flags?

 

Regards,

Andre

 

---

From: Rich Thompson [mailto:richt2@us.ibm.com]
Sent: 15 December 2004 15:07
To: wsrp@lists.oasis-open.org
Subject: Re: [wsrp] EventDescription.requiresSecureDistribution

 

Rereading this on the OASIS distribution reminded why the event field did not have a default specified in the schema ... its default is whatever was specified in the EventDescription.

Rich

Rich Thompson/Watson/IBM@IBMUS

12/15/2004 09:20 AM

To	wsrp@lists.oasis-open.org
cc
Subject	Re: [wsrp] EventDescription.requiresSecureDistribution

 

Good point on the possibility of tampering ... I'll add a sentence in section 9 of draft 04 to point this out.

The reason the field exists in both places is that some events will always require secure distribution and some will only require it when sensitive information is being carried in the payload (i.e. dynamic payload contents).

We deliberately named the equivalent fields in v1 as simply requiring security. This allows evolving security standards to be used as they become supported.

Thanks for catching the .xsd overlook of the default value. Has been updated relative to the next version.

Rich

Andre Kramer <andre.kramer@eu.citrix.com>

12/10/2004 05:15 AM

 

To	wsrp@lists.oasis-open.org
cc
Subject	[wsrp] EventDescription.requiresSecureDistribution

 

We should note that basing security decisions on EventDescription.requiresSecureDistribution only makes sense if the EventDescription was itself was retrieved securely. The threat here being Tampering.

I do not see why we would want to duplicate the flag in the Event type itself, even if we include it in the event metadata. IMHO A consumer should either use (securely determined) metadata to determine the security level for event transmission or use the same security level at which an event was received to re-distribute the event (Event.RequiresSecureRedistribution?).

Would it be simpler to use the same rule as for getMarkup to distribute all events? i.e. If a producer publishes a secure binding (i.e. SSL) then the consumer should make use of it? Or, better, provide and encourage means for the event data to be signed/encrypted by sending portlets?

Regards,

Andre

PS. In any case, the Event.requiresSecure(Re)Distribution declaration XML schema could do with a default="false" to match the EventDescription convention.