RE: NEW ISSUE: Nested policy as a qualifying mechanism on an assertion is too general from Asir Vedamuthu on 2006-07-20 (public-ws-policy@w3.org from July 2006)

From: Asir Vedamuthu <asirveda@microsoft.com>
Date: Wed, 19 Jul 2006 22:37:16 -0700
To: "Ashok Malhotra" <ashok.malhotra@oracle.com>, <public-ws-policy@w3.org>
Message-ID: <4DF3D07B9910264B9470DA1F811D1A950ADA51E6@RED-MSG-43.redmond.corp.microsoft.com>

Hi Ashok,

> anything can appear within a policy element
> including assertions that have nothing to 
> do with the parent assertion.

Nested policy expression is used by assertion authors to further qualify
one or more specific aspects of the parent assertion [1]. Assertion
authors can enumerate the allowed nested assertions, but the set may
need to be unbounded to allow for extensibility (ex new security token
types, new encryption algorithms, etc).

> But this does not work as the contents
> of the <wsp:Policy> element cannot change

In the WS-SecurityPolicy specification, the normative XML outline for an
assertion enumerates the anticipated nested assertions.

> simply specify these assertions as 
> possible children of the parent assertion

A child element of a policy assertion element that is not from the
WS-Policy XML Namespace is a policy assertion parameter. By using nested
policy expression, security policy can take advantage of the generic
policy intersection algorithm.

[1]
http://dev.w3.org/cvsweb/~checkout~/2006/ws/policy/ws-policy-framework.h
tml?content-type=text/html;%20charset=utf-8#rPolicy_Assertion

I hope this helps.

Regards,

Asir S Vedamuthu
Microsoft Corporation


-----Original Message-----
From: public-ws-policy-request@w3.org
[mailto:public-ws-policy-request@w3.org] On Behalf Of Ashok Malhotra
Sent: Tuesday, July 18, 2006 5:20 AM
To: public-ws-policy@w3.org
Subject: http://www.w3.org/2006/07/12-ws-policy-minutes.html#action04


I've written this action as a new issue.

Title: Nested policy as a qualifying mechanism on an assertion is too
general.  

Description:  WS-Policy allows a nested/embedded policy to be used to
qualify an assertion.
This is too general, as anything can appear within a policy element
including assertions that
have nothing to do with the parent assertion.

Note that WS-SecurityPolicy seems to recognize this and includes a note:
"Assertions from one domain SHOULD NOT be nested inside assertions from
another domain. For example, assertions from a transaction domain should
not be nested inside an assertion from a security domain. "  There is,
however no definition of "domain" that I could find.
Further, the "Schemas" included in WS-SecurityPolicy specify which
assertions can appear within the embedded policy.  But this does not
work as the contents of the <wsp:Policy> element cannot change depending
on the context in which it appears.
If the authors of WS-SecurityPolicy go to the trouble of specifying
which assertions can appear within the embedded policy, why don't they
simply specify these assertions as possible children of the parent
assertion.

Target:  WS-Policy Framework

Proposal:  Instead of nested policies, allow assertions to be qualified
by defining possible child elements for them.

All the best, Ashok

Received on Thursday, 20 July 2006 05:37:52 UTC