W3C home > Mailing lists > Public > public-ws-addressing@w3.org > July 2005

Re: Proposal for lc87 and lc55

From: Rich Salz <rsalz@datapower.com>
Date: Thu, 07 Jul 2005 13:11:21 -0400
Message-ID: <42CD6239.9050000@datapower.com>
To: Hugo Haas <hugo@w3.org>
CC: public-ws-addressing@w3.org, Thomas Roessler <roessler@w3.org>

>>(ii) Users of EPRs should only use EPRs from sources they trust. The  
>>required trust has two aspects:
>>
>>(a) that the EPR was obtained from a trusted source
>>(b) that it was obtained from a source with authority to represent  
>>the [destination] of that EPR.

Like you, I don't believe (ii)(b) is always necessary, for exactly the 
reason you state -- the EPR might contain information signed by the 
addressee.

It's also important to realize that "trust" can be completely determined 
out of band.  For example, within an enterprise, the corporate policy 
might be "everyone uses the corporate registry for WS-A services," and 
the MIS/IT department will help enforce this by some desktop 
configuration tools.

"Do I trust this data?" can often be re-phrased as "am I liable if this 
information is wrong?"  Given the difficulties of getting the crypto 
right (e.g., see 
http://lists.w3.org/Archives/Public/public-ws-addressing/2005Mar/0115), 
I bet that the dominant security model for WS-A will be pre-installed 
configurations (regedit anyone?) and SSL.

	/r$

-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
Received on Thursday, 7 July 2005 17:04:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:35:06 GMT