OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Oracle's answers to Security Questions




Considering the number of customer requests for interoperable security 
profiles and the lack of a standardized policy framework for negotiating 
a security profile to use for WSRP-related messages, the WSRP TC is 
seeking input about whether simple interim, interoperable profiles could 
be defined for the use case of multiple vendor's implementations being 
deployed within a single security domain in the mid-2006 timeframe.

1. The WSRP use case involves an intermediary (the WSRP Consumer) acting 
on behalf of an End-User when interacting with the web service provider 
(the WSRP Producer). As a result, there is an interest in transferring 
the identities of both the WSRP Consumer and the End-User to the WSRP 
Producer. This results in several questions:
1.a. Do you support the receipt of multiple identities (Consumer and 
End-User) on a SOAP message which can be separately queried by the 
provider application? Do you support sending multiple identities?

<MikeF>
Depends on what you mean bny consumer identity.  We allow the consumer 
to sign the messages they send.
</MikeF>

1.b. What WS-Security tokens will be supported for transferring 
identities (e.g. UserName, SAML, Kerberos, Digital Signature, etc)?

<MikeF>
Consumer: UserName token without password and SAML tokens using 
"sender-vouches".
Producer: SAML tokens using "sender-vouches".
</MikeF>

1.c. Would transferring the End-User identity via a WS-Security token 
and the Consumer identity via transport-level security be supported?

<MikeF>
No, we don't support SSL client authentication.
</MikeF>

1.d. Any restrictions on how multiple identities can be attached to a 
particular SOAP message?

<MikeF>
We only support the above.  Consumer can digitally sign either a 
Username token without password or SAML token.  Producer can receive a 
[digitally signed] SAML token.
</MikeF>

2. What security granularity is expected when transferring an identity 
(for example; portals often have a concept of user role that relates to 
the End-User's current use of the portal rather than their identity ... 
is the transfer of such attributes supported (e.g. via SAML attributes))?

<MikeF>
No.
</MikeF>

3. Is support for maintaining security contexts for multiple web service 
requests anticipated? If so, using what security technology (e.g. 
WS-SecureConversation)?

<MikeF>
Not at this time.
</MikeF>

4. Is automated configuration of all endpoints supported? If so, how are 
any particular inputs to the process indicated, supported, standardized 
and maintained?

<MikeF>
Not at this time.
</MikeF>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]