W3C home > Mailing lists > Public > public-ws-policy@w3.org > September 2006

NEW ISSUE 3753: Example 1-1 is not a complete security policy

From: Fabian Ritzmann <Fabian.Ritzmann@Sun.COM>
Date: Tue, 19 Sep 2006 18:08:04 +0300
To: public-ws-policy@w3.org
Message-id: <451007D4.8080003@Sun.COM>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=3753

Title

Example 1-1 is not a complete security policy


Description

Example 1-1 shows a simple policy with two security policy assertions in 
lines 03 and 04. According to WS-SecurityPolicy 1.2, section 7.1, these 
security policy assertions must be encapsulated by a policy that is 
nested inside an AlgorithmSuite assertion. The enclosing AlgorithmSuite 
assertions as well as suitable top-level assertions containing the 
AlgorithmSuite assertions are missing from example 1-1.

The examples in the following chapters build on this first example. 
Despite extensive research we did not find a policy that is sufficiently 
simple, can serve as a basis for the other examples, and still is a 
valid policy. We should still point out that the example given is an 
incomplete policy that only serves to illustrate how a policy could look 
like.


Justification

An example of a policy that claims to display a security policy but in 
fact violates the constraints of WS-SecurityPolicy causes unnecessary 
confusion among readers of both specifications.


Target

Web Services Policy Framework, section 1.2, example 1-1


Proposal

Replace "The following example illustrates a security policy expression 
using assertions defined in WS-SecurityPolicy [WS-SecurityPolicy]:"

by "The following example illustrates a security policy expression using
assertions defined in WS-SecurityPolicy [WS-SecurityPolicy] rather than 
a complete security policy:"
Received on Tuesday, 19 September 2006 15:08:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:20:41 GMT