[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Oracle's answers to Security Questions
Considering the number of customer requests for interoperable security profiles and the lack of a standardized policy framework for negotiating a security profile to use for WSRP-related messages, the WSRP TC is seeking input about whether simple interim, interoperable profiles could be defined for the use case of multiple vendor's implementations being deployed within a single security domain in the mid-2006 timeframe. 1. The WSRP use case involves an intermediary (the WSRP Consumer) acting on behalf of an End-User when interacting with the web service provider (the WSRP Producer). As a result, there is an interest in transferring the identities of both the WSRP Consumer and the End-User to the WSRP Producer. This results in several questions: 1.a. Do you support the receipt of multiple identities (Consumer and End-User) on a SOAP message which can be separately queried by the provider application? Do you support sending multiple identities? <MikeF> Depends on what you mean bny consumer identity. We allow the consumer to sign the messages they send. </MikeF> 1.b. What WS-Security tokens will be supported for transferring identities (e.g. UserName, SAML, Kerberos, Digital Signature, etc)? <MikeF> Consumer: UserName token without password and SAML tokens using "sender-vouches". Producer: SAML tokens using "sender-vouches". </MikeF> 1.c. Would transferring the End-User identity via a WS-Security token and the Consumer identity via transport-level security be supported? <MikeF> No, we don't support SSL client authentication. </MikeF> 1.d. Any restrictions on how multiple identities can be attached to a particular SOAP message? <MikeF> We only support the above. Consumer can digitally sign either a Username token without password or SAML token. Producer can receive a [digitally signed] SAML token. </MikeF> 2. What security granularity is expected when transferring an identity (for example; portals often have a concept of user role that relates to the End-User's current use of the portal rather than their identity ... is the transfer of such attributes supported (e.g. via SAML attributes))? <MikeF> No. </MikeF> 3. Is support for maintaining security contexts for multiple web service requests anticipated? If so, using what security technology (e.g. WS-SecureConversation)? <MikeF> Not at this time. </MikeF> 4. Is automated configuration of all endpoints supported? If so, how are any particular inputs to the process indicated, supported, standardized and maintained? <MikeF> Not at this time. </MikeF>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]