W3C home > Mailing lists > Public > public-ws-addressing@w3.org > April 2007

Re: Need for new Rec or TR on attaching policy to EPR

From: Anish Karmarkar <Anish.Karmarkar@oracle.com>
Date: Wed, 04 Apr 2007 16:13:44 -0700
Message-ID: <46143128.80009@oracle.com>
To: Bob Freund <bob@freunds.com>
CC: Richard Salz <rsalz@us.ibm.com>, WS-Addressing <public-ws-addressing@w3.org>

Bob,

I was thinking along the lines of a 'Security Consideration' section 
that most spec have, where readers are warned about various pitfalls 
without necessarily going into the details of the pitfalls or the 
solutions (except for appropriate references).

Do you think that is something outside the scope?

BTW I would like to point out that WS-Addr core spec already says this 
about the [metadata] property:

"The metadata embedded in an EPR is not necessarily a complete statement 
of the metadata pertaining to the endpoint. Moreover, while embedded 
metadata is necessarily valid at the time the EPR is initially created 
it may become stale at a later point in time.

To deal with conflicts between the embedded metadata of two EPRs that 
have the same [address], or between embedded metadata and metadata 
obtained from a different source, or to ascertain the current validity 
of embedded metadata, mechanisms that are outside of the scope of this 
specification, such as EPR life cycle information (see 2.4 Endpoint 
Reference Lifecycle) or retrieval of metadata from an authoritative 
source, SHOULD be used."

There is also a 'Security Consideration' section in ws-addr core that 
does talk about various pitfalls. At the very least the Policy/EPR 
attachment spec can point to that.

-Anish
--

Bob Freund wrote:
> Maybe they are, but the WS-Addressing WG is not the place IMO for that
> to be developed since, beyond other things, I think it exceeds our scope
> and our level of understanding or influence to describe potentially
> conflicting policies.
> I note also that this issue was raised in the WS-Policy WG and closed
> with no action.
> Thanks
> -bob
> 
>> -----Original Message-----
>> From: public-ws-addressing-request@w3.org
> [mailto:public-ws-addressing-
>> request@w3.org] On Behalf Of Anish Karmarkar
>> Sent: Wednesday, April 04, 2007 3:18 PM
>> To: Richard Salz
>> Cc: WS-Addressing
>> Subject: Re: Need for new Rec or TR on attaching policy to EPR
>>
>>
>> I certainly agree with that: dangers and concerns exists and should be
>> documented.
>>
>> -Anish
>> --
>>
>> Richard Salz wrote:
>>> Anish,
>>>
>>> I'm not saying that they're all not useful and valid things to do
>>> (although I admit I can't see why putting a WSDL in an EPR is
>> useful), I
>>> am just pointing out that there are dangerous, and non-obvious,
>> security
>>> concerns. Any document that gets written should at least explain
>> them.
>>>         /r$
>>> --
>>> STSM
>>> Senior Security Architect
>>> DataPower SOA Appliances
>>>
Received on Wednesday, 4 April 2007 23:18:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:35:17 GMT