W3C home > Mailing lists > Public > public-ws-addressing@w3.org > November 2004

RE: i0001: EPRs as identifiers

From: David Orchard <dorchard@bea.com>
Date: Sat, 13 Nov 2004 14:49:09 -0800
Message-ID: <32D5845A745BFB429CBDBADA57CD41AF0A3CA57E@ussjex01.amer.bea.com>
To: "Francisco Curbera" <curbera@us.ibm.com>
Cc: <public-ws-addressing@w3.org>

Let me see if I understand you correctly.  

You are asserting that Reference properties are not being used as a
service identifier because:
- Reference properties may be different across multiple
protocols/bindings for the same endpoint
- Reference properties are about the address of the endpoint, not an
identifier for the endpoint.

Any similarity between reference properties, such as the use of words
like identity and the equivalence function, and identifiers is
misleading and should be corrected.

Is that roughly right?

Cheers,
Dave

> -----Original Message-----
> From: Francisco Curbera [mailto:curbera@us.ibm.com]
> Sent: Saturday, November 13, 2004 9:35 AM
> To: David Orchard
> Cc: public-ws-addressing@w3.org; public-ws-addressing-request@w3.org
> Subject: Re: i0001: EPRs as identifiers
> 
> 
> 
> 
> 
> I appreciate very much Dave's proposal and the advantage of having his
Web
> architecture expertise to help us navigate these murky waters.
However,
> before we approach the TAG or do anything drastic like that, I think I
> need
> to explain my qualms about the way we seem to be approaching this
issue; I
> have the feeling I am in a minority in this, but I fear an important
> perspective may be lost in this discussion.
> 
> First, we need to admit that the specification contains specific
language
> to prompt this concern and the current resolution approach. In
particular,
> Section 2.1 in the core document draft talks about using reference
> properties to "identify" the entity being conveyed. However, I claim
that
> this language is misleading and not consistent with the spirit of the
> spec;
> moreover, if we take it to its final conclusion important use cases
will
> not be appropriately supported.
> 
> My central point is that the idea that EPRs identify service endpoints
is
> wrong and potentially dangerous. There is a key different between
> identifiers and addresses. The Web architecture document correctly
states
> that different identifiers (URIs) should not be associated with the
same
> resource; while aliases are not prohibited, they do undermine the
> usefulness of URIs as identifiers and impose unnecessary cost on URI
> consumer applications. The notion of identifiers is essentially at
odds
> with having multiple for the same entity.
> 
> However, in the case of EPRs the ability to issue multiple different
ones
> for the same endpoint is a fundamental requirement. There are
situations
> where multiple access channels to the endpoint are provided but they
need
> to be selectively exposed to different clients; the hosting
infrastructure
> may issue different EPRs to different clients such that a client
> application would be able unable to tell whether they correspond to
the
> same resource or not. To abuse the snail mail metaphor a bit more, the
> address that is encoded in a letter sent to me cannot be used to
identify
> me in the way my social security number can, but is useful if you want
to
> get your letters to me. I have several mail addresses but a single
social
> security number. The notion of address assumes that the same entity
may
> have many, in contrast with the notion of identity (as the Web Arch.
> document recognizes).
> 
> A "wire-centric" interpretation of EPRs, I think, is much more
consistent
> with the spirit of Web services than this identity based approach. An
EPR
> encapsulates the information that must be conveyed in a message
envelope
> to
> ensure that it can be properly delivered to the endpoint. This is
clearly
> not the same as providing an identifier for the resource, but is
essential
> to ensure interoperable access to endpoints.  Regardless of how
> inconsistent the language in the current spec is today, we need to
make it
> clear that WS-Addressing is not about identifying resources but only
about
> providing the means to interoperably direct (address) messages to
them.
> Moreover, I think we should state that the identification of endpoints
is
> not within the scope of this WG. We just need to make these points
clear
> in
> the spec and let the TAG rest at ease knowing we are not trying to
break
> their carefully constructed Web architecture.
> 
> Paco
> 
> 
> 
> 
> 
> 
> 
> 
>                       "David Orchard"
>                       <dorchard@bea.com>              To:
<public-
> ws-addressing@w3.org>
>                       Sent by:                        cc:
>                       public-ws-addressing-req        Subject:  i0001:
> EPRs as identifiers
>                       uest@w3.org
> 
> 
>                       11/13/2004 01:13 AM
> 
> 
> 
> 
> 
> I offer a proposal for what the issue is, and a solution
> 
> Issue:
> 
> WS-Addressing EPRs specify a resource identification mechanism, called
> reference properties and reference parameters, in addition to URIs for
> identification purposes.  There is not a clear justification of the
> benefits of such an additional resource identification mechanism.
> 
> The W3C Web architecture [1] states "To benefit from and increase the
> value
> of the World Wide Web, agents should provide URIs as identifiers for
> resources.  Other resource identification systems (see the section on
> future directions for identifiers) may expand the Web as we know it
today.
> However, there are substantial costs to creating a new identification
> system that has the same properties as URIs."
> 
> The W3C TAG was asked the question about when to use GET for
retrieving
> resource representations and indirectly about when URIs should be
provided
> for resources in Issue #7 [2] and produced a finding [3].  Some of the
> finding material is included in the Web arch document.  The Web
> architecture is clear that there are substantial costs associated with
> resource identification systems other than URIs and the implication is
> that
> the benefits to such additional systems should be substantial.
> 
> The URI specification [4] provides a definition of a resource "A
resource
> can be anything that has identity."  Thus we do not need to determine
> whether an EPR identifies a resource or not, but whether an EPR is
used as
> an identifier.
> 
> The WS-Addressing member submission [5] is fairly clear that EPRs are
used
> for identification purposes.  Some sample quotes used in the document:
> "Dynamic generation and customization of service endpoint
descriptions. "
> "Identification and description of specific service instances"
> "we define a lightweight and extensible mechanism to dynamically
identify
> and describe service endpoints and instances"
> "Specific instances of a stateful service need to be identified"
> "A reference may contain a number of individual properties that are
> required to identify the entity or resource being conveyed"
> 
> A tell-tale sign of identifiers is comparisons of identifiers.  The
URI
> specification provides rules for URI comparison.  The WS-Addressing
> submission provides rules for EPR comparison.
> 
> Note that the Web architecture does not discuss stateful versus
stateless
> services or interactions, nor does it discuss the use of HTTP Cookies
to
> contain state or state identifier information.  To a certain degree,
the
> comparison of URIs vs EPRs may be thought of as a comparison of URIs +
> HTTP
> cookies vs EPRs.  However, this comparison will describe EPRs with
> reference properties without discussion of HTTP cookies, but the
> similarity
> of the benefits of HTTP cookies and EPR reference properties is
captured
> in
> the EPR benefits.
> 
> [1] http://www.w3.org/TR/webarch/#uri-benefits
> [2] http://www.w3.org/2001/tag/issues.html#whenToUseGet-7
> [3] http://www.w3.org/2001/tag/doc/whenToUseGet.html
> [4] http://www.ietf.org/rfc/rfc2396
> [5] http://www.w3.org/Submission/2004/SUBM-ws-addressing-20040810/
> 
> 
> Resolution:
> The WS-Addressing WG will provide material, TBD format such as
standalone
> or primer or ..., that shows the benefits to be gained from
WS-Addressing
> reference properties and parameters.  It includes a comparison with
URI
> only solutions.
> 
> Sample applications and benefits
> A sample application is introduced with a skeletal display of use of
URIs
> and EPRs.
> 
> Sample application #1: Stateful Web service client.
> 
> A stateful service acting as a client makes a request to another
service.
> The client makes a request containing a ReplyTo containing an EPR.
The
> invoked service responds with the requested information including an
> WS-Addressing EPR processing model
> 
> Variation #1: Reference properties
> Client->Service:request
> <s:Header>
> <wsa:ReplyTo>
>    <wsa:EndpointReference>
>   <wsa:Address>http://www.fabrikam123.example/acct</wsa:Address>
>    <wsa:ReferenceProperties>
>        <fabrikam:CustomerKey>123456789</fabrikam:CustomerKey>
>    </wsa:ReferenceProperties>
>   </wsa:EndpointReference>
> </wsa:ReplyTo>
> </s:Header>
> 
> Service->Client Callback
> 
> <S:Header>
>     <wsa:To>http://www.fabrikam123.example/acct</wsa:To>
>     <fabrikam:CustomerKey>123456789</fabrikam:CustomerKey>
> </S:Header>
> 
> Variation #2a: Address only with full featured Qname to URI mapping
> 
> This takes the fabrikam:CustomerKey Qname and content and incorporates
it
> into the Address using an extension of QName/URI binding style #10 in
[1]
> Client->Service:request
> <s:Header>
> <wsa:ReplyTo>
>    <wsa:EndpointReference>
> 
>
<wsa:Address>http://www.fabrikam123.example/acct?(fabrikamns)CustomerKey
=1
> 23456789</wsa:Address>
>   </wsa:EndpointReference>
> </wsa:ReplyTo>
> </s:Header>
> 
> Service->Client Callback
> 
> <S:Header>
> 
>
<wsa:To>http://www.fabrikam123.example/acct?(fabrikamns)CustomerKey=1234
56
> 789</wsa:To>
> </S:Header>
> 
> Variation 2b: Simple Address
> The Address may be significantly simpler, such as
>
<wsa:Address>http://www.fabrikam123.example/acct/123456789</wsa:Address>
> 
> 
> Comparison of Variations.
> 
> This comparison uses the Architecture properties of Key interest
section
> from Dr. Fielding's thesis [2] as the criteria for evaluating these 2
> styles.  This is based upon the network characteristics of the
> architectures.  Note that the thesis specifically excludes those
> properties
> that are of interest to software architectures.
> 
> Performance
> Advantage of URIs
> Comparing URIs is simpler than comparing EPRs because the cost of
> canonicalizing EPRs can be significant given the XML C14N algorithm.
> 
> 
> Scalability
> No difference.  Both styles support stateful and stateless
interactions.
> 
> 
> Simplicity
> 
> Advantages of EPRs
> Web services are based upon XML.  Many applications use XML as the
> mechanisms for identifying their components.  The binding of XML into
URIs
> is not standardized and potentially problematic, some of the issues
being:
> - XML contains QNames as element names, attribute names, and content.
> QNames are based upon absolute URIs.  URIs in URIs is not simple.
> - XML elements can have multiple children at all levels, whereas URIs
have
> path hierarchy that ends in a multiple children query parameters.
> - The XML information model is complex with attributes, elements, PIs,
> comments, entity references and whitespace.  These do not match well
to
> URIs.
> - Character encodings are different between XML and URIs.
> - URIs have potential length restrictions
> - URIs have different security properties than SOAP header blocks,
such as
> level of encryption and signing.
> 
> XML applications that use XML for identification will probably be
simpler
> to write with EPRs than with URI only identifiers.  This includes SOAP
> tools and XML tools.
> 
> Advantages of URIs
> In many cases, the complexity of XML is not needed for the identifier,
as
> shown in example 2b.  This enables the web service to be "on the Web"
as
> an
> HTTP GET can be used to retrieve a representation of the state of the
> resource.  This also enables much of the web infrastructure to
operate,
> such as caching intermediaries, security firewalls, etc..  This can
lead
> to
> easier to debug systems (a web browser can retrieve the state for a
> human)..
> 
> 
> Evolvability
> Advantage of EPRs
> Separating the reference property from the URI may make it easier for
> service components to evolve.  A service component may know nothing
about
> the deployment address of the service from the reference properties.
This
> effectively separates the concerns of identifiers into externally
visible
> and evolvable from the internally visible and evolvable.  For example,
a
> dispatcher could evolve the format it uses for reference properties
> without
> concern of the URI related software.  The use of SOAP tools - for
parsing
> the soap header for the reference properties - or xml tools - such as
an
> xpath expression on the message - allow separate evolvability of
> components.
> 
> Advantage of URIs
> No advantage to URIs for evolvability.
> 
> Visibility
> Advantage of EPRs
> URIs provide for visibility into the interaction between two
components.
> There are scenarios that indicate visibility into the reference
property
> is
> not necessary.  Inserting the reference property may hinder
visibility.
> The security desired may be at the address level, and inserting the
URI
> serialization of the ref property may harm the ability to
appropriately
> apply security.  For example, the Address may already have query
> parameters
> that are part of the service identifier, and the reference property as
a
> query parameter may result in difficult parsing as the query
parameters
> are
> not necessarily order preserved.  Potentially multiple reference
> properties
> compounds the problem.
> 
> Additionally, a service provider may not want for the reference
property
> to
> be visible as part of the URI.  Presumably they could encrypt the
> reference
> property and then insert into the Address field, but this leaves us
back
> to
> the simplicity argument and inserting XML into URIs.
> 
> Advantage of URIs
> URI only EPRs offer clearly higher visibility into the message for any
> intermediary.
> 
> Security
> Advantage of EPRs
> Dr. Fielding's thesis does not directly address security.  One
potential
> aspect of security is "guessing" at endpoints.  Encrypting the
reference
> property does not cover signing a reference property.  A reference
> property
> might be encrypted and signed by a service provider using the OASIS
> WS-Security standard
> 
> 
> Real-World
> Advantage of EPRs
> It is useful to examine not only theoretical architectures properties
but
> real-world deployed architectures.  A significant portion of the Web
is
> deployed with stateful web components that use HTTP Cookies to contain
> session or state identifying information.  For a variety of reasons,
> typically those detailed previously, application developers have
chosen to
> use HTTP Cookies to contain identifying information in addition to
URIs.
> 
> Additionally, a variety of efforts have been undertaken to facilitate
> mapping of XML and QNames to URIs, such as WSDL 2.0 HTTP Binding.
There
> does not appear to be substantial product group interest in these
> technologies.
> 
> Advantage of URIs
> The subset of the Web that is "on the Web", that is has a URI that is
> dereferenceable, is clearly widely scalable, deployed, etc.
> 
> Conclusion
> This has shown that the choice of EPRs with Reference Properties
versus
> EPRs without reference properties is a complex choice best left to the
> application developer.  As they have the choice with a Web of HTTP
URIs
> and
> HTTP Cookies today, WS-Addressing gives Web service application
developers
> the choice of their identifier architecture.  They can use URI only
EPRs
> and they can use URIs + XML based reference properties and parameters.
> 
> [1]
http://www.pacificspirit.com/blog/2004/04/29/binding_qnames_to_uris
> [2]
>
http://www.ics.uci.edu/~fielding/pubs/dissertation/net_app_arch.htm#sec_
2_
> 3
> 
> 
> 
Received on Saturday, 13 November 2004 22:49:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:59 GMT