Subject: RE: [wsrp] EventDescription.requiresSecureDistribution
A producer that wishes to return an event securely can not publish a http binding (i.e. only an https binding so that SOAP responses are secured) if transport level security is to be used, or use message level security for responses. Given we start from this position, is it not more a question of the producer possibly granting the consumer the right to forward an event on a less secure channel? How useful is such a feature as opposed to just mandating that a securely returned event be always forwarded securely? I think the end goal should be for end to end security to be used to secure the event payload so do we really need these flags?
From: Rich Thompson
I do not see why we would want to duplicate the flag in the Event type itself, even if we include it in the event metadata. IMHO A consumer should either use (securely determined) metadata to determine the security level for event transmission or use the same security level at which an event was received to re-distribute the event (Event.RequiresSecureRedistribution?).
Would it be simpler to use the same rule as for getMarkup to distribute all events? i.e. If a producer publishes a secure binding (i.e. SSL) then the consumer should make use of it? Or, better, provide and encourage means for the event data to be signed/encrypted by sending portlets?
PS. In any case, the Event.requiresSecure(Re)Distribution declaration XML schema could do with a default="false" to match the EventDescription convention.