W3C home > Mailing lists > Public > public-ws-addressing@w3.org > April 2007

RE: Need for new Rec or TR on attaching policy to EPR

From: Bob Freund <bob@freunds.com>
Date: Wed, 04 Apr 2007 20:28:04 -0400
To: "Anish Karmarkar" <Anish.Karmarkar@oracle.com>
Cc: "Richard Salz" <rsalz@us.ibm.com>, "WS-Addressing" <public-ws-addressing@w3.org>
Message-id: <7D5D3FDA429F4D469ADF210408D6245A066D18@jeeves.freunds.com>

Security considerations are not a bad thing and I would support that,
however I think that a discussion of the use of the metadata property
with respect to WS-policy and how it fits with respect to any other
policy expression would worry me very much.
-bob

> -----Original Message-----
> From: Anish Karmarkar [mailto:Anish.Karmarkar@oracle.com]
> Sent: Wednesday, April 04, 2007 7:14 PM
> To: Bob Freund
> Cc: Richard Salz; WS-Addressing
> Subject: Re: Need for new Rec or TR on attaching policy to EPR
> 
> Bob,
> 
> I was thinking along the lines of a 'Security Consideration' section
> that most spec have, where readers are warned about various pitfalls
> without necessarily going into the details of the pitfalls or the
> solutions (except for appropriate references).
> 
> Do you think that is something outside the scope?
> 
> BTW I would like to point out that WS-Addr core spec already says this
> about the [metadata] property:
> 
> "The metadata embedded in an EPR is not necessarily a complete
> statement
> of the metadata pertaining to the endpoint. Moreover, while embedded
> metadata is necessarily valid at the time the EPR is initially created
> it may become stale at a later point in time.
> 
> To deal with conflicts between the embedded metadata of two EPRs that
> have the same [address], or between embedded metadata and metadata
> obtained from a different source, or to ascertain the current validity
> of embedded metadata, mechanisms that are outside of the scope of this
> specification, such as EPR life cycle information (see 2.4 Endpoint
> Reference Lifecycle) or retrieval of metadata from an authoritative
> source, SHOULD be used."
> 
> There is also a 'Security Consideration' section in ws-addr core that
> does talk about various pitfalls. At the very least the Policy/EPR
> attachment spec can point to that.
> 
> -Anish
> --
> 
> Bob Freund wrote:
> > Maybe they are, but the WS-Addressing WG is not the place IMO for
> that
> > to be developed since, beyond other things, I think it exceeds our
> scope
> > and our level of understanding or influence to describe potentially
> > conflicting policies.
> > I note also that this issue was raised in the WS-Policy WG and
closed
> > with no action.
> > Thanks
> > -bob
> >
> >> -----Original Message-----
> >> From: public-ws-addressing-request@w3.org
> > [mailto:public-ws-addressing-
> >> request@w3.org] On Behalf Of Anish Karmarkar
> >> Sent: Wednesday, April 04, 2007 3:18 PM
> >> To: Richard Salz
> >> Cc: WS-Addressing
> >> Subject: Re: Need for new Rec or TR on attaching policy to EPR
> >>
> >>
> >> I certainly agree with that: dangers and concerns exists and should
> be
> >> documented.
> >>
> >> -Anish
> >> --
> >>
> >> Richard Salz wrote:
> >>> Anish,
> >>>
> >>> I'm not saying that they're all not useful and valid things to do
> >>> (although I admit I can't see why putting a WSDL in an EPR is
> >> useful), I
> >>> am just pointing out that there are dangerous, and non-obvious,
> >> security
> >>> concerns. Any document that gets written should at least explain
> >> them.
> >>>         /r$
> >>> --
> >>> STSM
> >>> Senior Security Architect
> >>> DataPower SOA Appliances
> >>>
Received on Thursday, 5 April 2007 00:27:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:35:17 GMT