OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Scope for web service policy language #2

This is an update to the list posted on

It includes Tony's suggestion that "attestations" belong in
a web services policy language, as well as a suggestion from some
WSBPEL participants that a web services policy statement should
specify which profiles it applies to (I think this is a way of
specifying what the scope or aspect of a particular policy is).

Potential Scope Items
-"attestations": "policy can attest to authentication method and
 form the authentication context"
-policies regarding unexpected messages may apply when the
  message is properly authenticated and validated.
-policies that have to do with SLAs and
-signatures/non-repudiation, etc.
-messaging QoS features
-Privacy "over the wire" due to the sensitive nature of the contents of the message.
-Tamper-proofness for certain messages due to trust issues.
-Non-repudiation of receipt.
-Authorization of the requestor (i.e., purchasing agent or similar authority).
-QoS supplied by the messaging and security infrastructure
-business properties
-security annotations for messaging interactions (e.g. message
  must be signed")
-statements for specifying the dependencies/coupling of the
  different Web services
-Service Level Agreements
-Quality of Protection
-cryptographic security parameters (key length, algorithm)
-privacy policies and privacy preferences
-security tokens service is capable of processing
-access control attributes required by a service
-access control attributes a client is willing/able to reveal
-authentication requirements (mechanism, algorithm, key length,
-reliable messaging (guaranteed delivery once or notice of
  failure, guaranteed delivery with no promise of once only,
  attempted delivery only)
-implementation-specific options supported or available from a
-transport protocol selection

Other Requirements
-Web-services policy language use-cases and requirements
-Each policy statement (instance of policy) should specify the
 standards profile to which it applies.

Are these all things we would want to be within the scope of the
web service policy TC?  Are there others?  Is there a definition
for "policy" that distinguishes all these things from the
underlying service processes?

WS-Policy, Version 1.1, 28 May 2003, uses this definition:

  the capabilities, requirements, and general characteristics of
  entities in an XML Web Services-based system...  some
  assertions specify requirements and capabilities that will
  ultimately manifest on the wire (e.g. authentication scheme,
  transport protocol selection).  Some assertions specify
  requirements and capabilities that have no wire manifestation
  yet are critical to proper service selection and usage
  (e.g. privacy policy, QoS characteristics).

XACML profile for Web-services, Working draft 04, 29 Sep 2003,
uses this definition:

  Access to a standard-conformant Web-service end-point involves
  a number of aspects, such as: reliable messaging, privacy,
  authorization, trust, authentication and cryptographic
  security.  Each aspect addresses a number of optional features
  and parameters, which must be coordinated between communication
  end-points if the service invocation is to be suddessful.  The
  provider and consumer of the service likely have different
  preferences amongst the available choices of features and
  parameters.  Therefore, a mechanism is required by which
  end-points may describe the mandatory features of service
  invocation, optional features that they support and the order
  of their preference amongst such features.

"Secure, Reliable, Transacted Web Services: Architecture and
Composition", by Donald F. Ferguson, Tony Storey (IBM) and Brad
Lovering, John Shewchuk (Microsoft), September 2003, uses this

  WSDL and XSD definitions often do not provide enough
  information to call a Web service.  WSDL and XSD define the
  service's interface syntax but they do not express information
  about how the service delivers its interface or what the
  service expects of the caller.  For example, does the service
  require security or implement transactions?

  WS-Policy enables a service to specify what it expects of
  callers and how it implements its interface...  Security,
  transactions, reliable messaging and other specifications
  require concerte WS-Policy schema.

"Understanding WS-Policy", by Aaron Skonnard, August 2003
(msdn.microsoft.com), uses this definition:

  additional [beyond the service's XML contract] requirements,
  capabilities, and preferences

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692
------- end of forwarded message -------

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]