RE: [wss] ISSUE 190: text for SOAP MustUnderstand issue

["Reid, Irving" <irving.reid@hp.com>]

> From: David Orchard [mailto:dorchard@bea.com] 
> 
> If I understand B) correctly, a targeted security receiver 
> of a mandator security header could have a security policy 
> which says "do not generate a fault under any situation, 
> including not understanding wss specification elements"?
> 

Yes, that is my understanding of the will of the TC. The rough idea is that if the receiver has a (presumably low-value) resource that can be accessed no matter what the security properties of the request, the sender can't force the receiver to care what's in the wsse:Security.

 - irving -

> > -----Original Message-----
> > From: Reid, Irving [mailto:irving.reid@hp.com]
> > Sent: Wednesday, December 03, 2003 11:10 AM
> > To: David Orchard; wss@lists.oasis-open.org
> > Subject: RE: [wss] ISSUE 190: text for SOAP MustUnderstand issue
> > 
> > 
> > This was an earlier attempt. The new text (which I intend to 
> > get out by the end of the week) will say something like:
> > 
> > A) The receiver must implement the WS-Security specification
> > B) If any element within the wsse:Security header is not 
> > understood or implemented by the receiver, whether that 
> > element is part of the WSS specification or is an extension, 
> > the decision about whether to generate a fault is based on 
> > the receiver's security policy
> > 
> > So, the short answer to your questions are "no" and "no". By 
> > my understanding of the discussion around this issue, the TC 
> > has decided not to give the sender control over how its 
> > message is interpreted through any sort of internal 
> criticality flags.
> > 
> >  - irving -