[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Scope for web service policy language #2
This is an update to the list posted on http://www.oasis-open.org/archives/xacml/200310/msg00030.html. It includes Tony's suggestion that "attestations" belong in a web services policy language, as well as a suggestion from some WSBPEL participants that a web services policy statement should specify which profiles it applies to (I think this is a way of specifying what the scope or aspect of a particular policy is). Potential Scope Items -"attestations": "policy can attest to authentication method and form the authentication context" -policies regarding unexpected messages may apply when the message is properly authenticated and validated. -policies that have to do with SLAs and -signatures/non-repudiation, etc. -messaging QoS features -Privacy "over the wire" due to the sensitive nature of the contents of the message. -Tamper-proofness for certain messages due to trust issues. -Non-repudiation of receipt. -Authorization of the requestor (i.e., purchasing agent or similar authority). -QoS supplied by the messaging and security infrastructure -business properties -transactions -security -payment -security annotations for messaging interactions (e.g. message must be signed") -statements for specifying the dependencies/coupling of the different Web services -Service Level Agreements -Quality of Protection -cryptographic security parameters (key length, algorithm) -privacy policies and privacy preferences -security tokens service is capable of processing -access control attributes required by a service -access control attributes a client is willing/able to reveal -trust -authentication requirements (mechanism, algorithm, key length, etc.) -reliable messaging (guaranteed delivery once or notice of failure, guaranteed delivery with no promise of once only, attempted delivery only) -implementation-specific options supported or available from a service -transport protocol selection Other Requirements -Web-services policy language use-cases and requirements http://www.oasis-open.org/committees/download.php/1608/wd-xacml-wspl-use-cases-04.pdf -Each policy statement (instance of policy) should specify the standards profile to which it applies. Are these all things we would want to be within the scope of the web service policy TC? Are there others? Is there a definition for "policy" that distinguishes all these things from the underlying service processes? WS-Policy, Version 1.1, 28 May 2003, uses this definition: the capabilities, requirements, and general characteristics of entities in an XML Web Services-based system... some assertions specify requirements and capabilities that will ultimately manifest on the wire (e.g. authentication scheme, transport protocol selection). Some assertions specify requirements and capabilities that have no wire manifestation yet are critical to proper service selection and usage (e.g. privacy policy, QoS characteristics). XACML profile for Web-services, Working draft 04, 29 Sep 2003, uses this definition: Access to a standard-conformant Web-service end-point involves a number of aspects, such as: reliable messaging, privacy, authorization, trust, authentication and cryptographic security. Each aspect addresses a number of optional features and parameters, which must be coordinated between communication end-points if the service invocation is to be suddessful. The provider and consumer of the service likely have different preferences amongst the available choices of features and parameters. Therefore, a mechanism is required by which end-points may describe the mandatory features of service invocation, optional features that they support and the order of their preference amongst such features. "Secure, Reliable, Transacted Web Services: Architecture and Composition", by Donald F. Ferguson, Tony Storey (IBM) and Brad Lovering, John Shewchuk (Microsoft), September 2003, uses this definition: WSDL and XSD definitions often do not provide enough information to call a Web service. WSDL and XSD define the service's interface syntax but they do not express information about how the service delivers its interface or what the service expects of the caller. For example, does the service require security or implement transactions? WS-Policy enables a service to specify what it expects of callers and how it implements its interface... Security, transactions, reliable messaging and other specifications require concerte WS-Policy schema. "Understanding WS-Policy", by Aaron Skonnard, August 2003 (msdn.microsoft.com), uses this definition: additional [beyond the service's XML contract] requirements, capabilities, and preferences Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 ------- end of forwarded message ------- -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]