W3C home > Mailing lists > Public > public-ws-addressing@w3.org > July 2005

Re: Proposal for lc87 and lc55

From: Marc Hadley <Marc.Hadley@Sun.COM>
Date: Thu, 07 Jul 2005 23:38:52 -0400
To: Rich Salz <rsalz@datapower.com>
Cc: Hugo Haas <hugo@w3.org>, public-ws-addressing@w3.org, Thomas Roessler <roessler@w3.org>
Message-id: <4717D594-01D8-4EDA-8599-14CDB37B7A53@Sun.COM>
On Jul 7, 2005, at 1:11 PM, Rich Salz wrote:
>>> (ii) Users of EPRs should only use EPRs from sources they trust.  
>>> The  required trust has two aspects:
>>> (a) that the EPR was obtained from a trusted source
>>> (b) that it was obtained from a source with authority to  
>>> represent  the [destination] of that EPR.
> Like you, I don't believe (ii)(b) is always necessary, for exactly  
> the reason you state -- the EPR might contain information signed by  
> the addressee.
I don't think it will always be necessary, if the user implicitly  
trusts everything the minter tells them then there's no need.  
However, for more casual relationships I think it will be necessary  
for the minter to prove it has some authority to speak for the target  
of the EPR.

> It's also important to realize that "trust" can be completely  
> determined out of band.  For example, within an enterprise, the  
> corporate policy might be "everyone uses the corporate registry for  
> WS-A services," and the MIS/IT department will help enforce this by  
> some desktop configuration tools.
Absolutely. My proposal recognized this by not making the trust  
mechanism REQUIRED, the MUSTs only apply "When using this mechanism".


> "Do I trust this data?" can often be re-phrased as "am I liable if  
> this information is wrong?"  Given the difficulties of getting the  
> crypto right (e.g., see http://lists.w3.org/Archives/Public/public- 
> ws-addressing/2005Mar/0115), I bet that the dominant security model  
> for WS-A will be pre-installed configurations (regedit anyone?) and  
> SSL.
>     /r$
> -- 
> Rich Salz, Chief Security Architect
> DataPower Technology                           http:// 
> www.datapower.com
> XS40 XML Security Gateway   http://www.datapower.com/products/ 
> xs40.html

Marc Hadley <marc.hadley at sun.com>
Business Alliances, CTO Office, Sun Microsystems.

Received on Friday, 8 July 2005 03:39:02 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:04:10 UTC