- From: Natale, Bob <RNATALE@mitre.org>
- Date: Mon, 15 Oct 2007 08:56:48 -0400
- To: "Sergey Beryozkin" <sergey.beryozkin@iona.com>, "David Orchard" <dorchard@bea.com>, "Ashok Malhotra" <ashok.malhotra@oracle.com>, "Asir Vedamuthu" <asirveda@microsoft.com>
- Cc: <public-ws-policy@w3.org>
- Message-ID: <4915F014FDD99049A9C3A8C1B832004F02333B7A@IMCSRV2.MITRE.ORG>
Hi Sergey,
Thanks for your thoughtful follow-ups on this topic.
- I would concede that if as a last call issue ordering would cause
serious disruption to the approval process, then it is out of scope for
the policy framework, given the rules of engagement in place to date.
(For the record, I have been on the other end of managing the
"Johnny-come-lately" radical suggestions near the end of long and
laborious SDO consensus-building efforts -- it's rarely pleasant. :)
- Using an extension attribute approach is fine with me.
Now, given those two actionable statements, what follows is just for
background consideration (i.e., IMHO and FWIW):
- As noted in your example (sp:EncryptBeforeSigning /) to Asir today,
any arbitrary desired or required ordering can be crafted as an
assertion. However, this has two defects:
-- For verification and reuse purposes, assertions should be as
atomic as possible
-- Some policies in large environments supporting diverse missions
of multiple priorities will be, of necessity, extremely complex, and
ordering (both recommended and mandatory) will be essential to policy
authors in those environments:
--- crafting individual assertions to control ordering will
quickly become impractical in those cases
--- having to use a multiplicity of domain-specific ordering
syntaxes will also become impractical in those cases
- The Policy Framework rules of engagement should have included the
notion of supporting policy composition for the kinds of environments
and missions referred to above.
- In general, we'd like to identify errors/exceptions as early as
possible in a system...the first line of defense for ordering errors
would be the policy editing tools, the next should be as close
(downstream) to the policy engine, if not the policy engine itself.
Cheers,
BobN
________________________________
From: Sergey Beryozkin [mailto:sergey.beryozkin@iona.com]
Sent: Monday, October 15, 2007 6:12 AM
To: Natale, Bob; David Orchard; Ashok Malhotra
Cc: public-ws-policy@w3.org
Subject: Re: Ordering of Assertions: Comment on WS-Policy
Primer LCWD
Hi Bob
I'm thinking that may be a single value for an attribute like
this one would do. I'm fime with "mandated" for ex.
Furthermore I believe any enforcement is out of scope for the
policy framework, as it's not the engine's responsibilty
to enforce any behaviors associated with given policy
assertions. Given this, I feel an attribute like this is kind of
extension to the core policy schema because whatever in the core schema
defines has some meaning to the policy engine.
For example :
<Policy wspe:ordering="mandated"
xmlns:wspe="www.w3.org/ms/ws-policy/extensions">
<A/>
<B/>
</Policy>
Basically, we're just using an extension attribute (thanks to
the extensibilty available through the core schema) to convey the
policy author's hint to the consumer entity which interacts with the
policy engine. As far the policy engine is concerned, it does not know
what wspe:ordering="mandated" means. On the other hand, the entity
which understands this extension is given a hint that the ordering of
behaviors is the same as the order of corresponding assertions.
I don't think though that a consumer which understands this
extension needs to throw exceptions. It's too strict. For ex, policy
unaware consumer can stil ltalk to the policy-aware provider, it's up
to the provider to verify and enforce that the consumer has done things
as expected...
So I'm kind of positive about an extension like this one. What
bothers :-) me a bit though : is it really a last call issue given that
it's out of scope for the framework ? Do you agree it's out of scope
for the framework ?
Thanks, Sergey
----- Original Message -----
From: Natale, Bob <mailto:RNATALE@mitre.org>
To: Sergey Beryozkin <mailto:sergey.beryozkin@iona.com>
; David Orchard <mailto:dorchard@bea.com> ; Ashok Malhotra
<mailto:ashok.malhotra@oracle.com>
Cc: public-ws-policy@w3.org
Sent: Friday, October 12, 2007 5:44 PM
Subject: RE: Ordering of Assertions: Comment on
WS-Policy Primer LCWD
Hi Sergey,
As far as I can tell now, your suggested approach would
satisfy my needs -- with one possible addition: Add "mandatory" (along
with "recommended") as a possible value for "ordering"...the meaning
being that the client must either observe the ordering or, if unable or
unwilling to do so, reject the policy.
For the domain in which I work, being able to
explicitly declare policymaker intent at the highest level in a clear
and simple way is a prerequisite to broader and deeper implementation
of policy-based management. Lower-level restrictions on how that
policy might get implemented, as long as they are known up-front, can
be accommodated.
Cheers,
BobN
________________________________
From: Sergey Beryozkin
[mailto:sergey.beryozkin@iona.com]
Sent: Friday, October 12, 2007 12:27 PM
To: Natale, Bob; David Orchard; Ashok Malhotra
Cc: public-ws-policy@w3.org
Subject: Re: Ordering of Assertions: Comment on
WS-Policy Primer LCWD
Hi
As far as I understand, you believe that in
those cases when it matters a solution at a framework level would be
more efficient than a solution involving domain-specific policy
assertions.
It might be more efficient indeed, as far as a
generic hint is concerned. I'd say that it won't make more efficient
with respect to what happens afterwards, with what runtime/engine
actually does with this hint.
Nonetheless, if there were a push for a
solution at the framework level in v.next then I'd suggest something
like :
<wsp:Policy>
<wsp:All acme:ordering="recommended">
<B/>
<A/>
</wsp:All>
</wsp:Policy>
acme:ordering="recommended" can be placed on
any WS-Policy language operator in which case the rule would be for it
to propogate down to all <All> descendants at the normalization time.
This does not affect the intersection.
acme:ordering="recommended" is just a hint, the consumer still has to
verify it makes sense and is free to ignore this hint. For ex, a
consumer dealing with RM and WS-Security may notice this hint or may
not.
Say, when it encounters
<wsp:Policy acme:ordering="recommended">
<WS-Security/>
<WS-RM/>
</wsp:Policy>
then it can either reject this policy or ignore
the hint and do WS-RM first and only then do WS-Security. What the
consumer does is out of scope for the framework.
Using an attribute like acme:ordering
(wsp:ordering) would be much less intrusive, much less complex and more
neutral than introducing a general purpose ordering operator.
Cheers, Sergey
----- Original Message -----
From: "Natale, Bob" <RNATALE@mitre.org
<mailto:RNATALE@mitre.org> >
To: "David Orchard" <dorchard@bea.com
<mailto:dorchard@bea.com> >; <ashok.malhotra@oracle.com
<mailto:ashok.malhotra@oracle.com> >
Cc: <public-ws-policy@w3.org
<mailto:public-ws-policy@w3.org> >
Sent: Thursday, October 11, 2007 10:19 PM
Subject: RE: Ordering of Assertions: Comment on
WS-Policy Primer LCWD
Ok, Dave, I'll bite...although I have to say
that Ashok's original
existence proofs (recognition in the Policy
Framework and realization
in SecurityPolicy) strike me as sufficient
basis for having to prove
the counter-argument rather than the
pro-argument. And, yes, I can
think of multiple ways to achieve the objective
of policy ordering
without adding an operator-like feature to
WS-Policy (e.g., multiple
domain-specific ordering constructs, presumed
run-time engine
omniscience, etc.)...they just all seem less
efficient and intuitive to
me.
So, for a very generic data processing context,
I might want instances
of the following set of policies (sometimes in
recursive
relationships):
- someCollectionPolicy
- someFilteringPolicy
- someAggregationPolicy
- someCorrelationPolicy
- someTaggingPolicy
- someSortingPolicy
- someClassificationPolicy
- someStoragePolicy
- someRetentionPolicy (which is also
inherently someDeletionPolicy)
The order in which some of these policies are
applied in some data
processing contexts could be significant, it
would seem to me...?
Examples from the SCA Policy realm also come to
mind. Actually, many
do, especially when considering dynamically
constructed digital
run-time policies in response to changing
real-world circumstances
(e.g., in the network management realm).
Cheers,
BobN
-----Original Message-----
From: public-ws-policy-request@w3.org
<mailto:public-ws-policy-request@w3.org>
[mailto:public-ws-policy-request@w3.org] On
Behalf Of David Orchard
Sent: Thursday, October 11, 2007 4:59 PM
To: ashok.malhotra@oracle.com
<mailto:ashok.malhotra@oracle.com>
Cc: public-ws-policy@w3.org
<mailto:public-ws-policy@w3.org>
Subject: RE: Ordering of Assertions: Comment on
WS-Policy Primer LCWD
I asked my question first, and it's up to you
to prove that work needs
to be done, not the other way around. That
said, you don't seem to
have
any intention of answering my question as
you've decided to respond to
my question with a question. I learned from
"Rosencrantz and
Guildenstern are dead" not to play the question
game.
Cheers,
Dave
> -----Original Message-----
> From: ashok malhotra
[mailto:ashok.malhotra@oracle.com]
> Sent: Thursday, October 11, 2007 1:33 PM
> To: David Orchard
> Cc: public-ws-policy@w3.org
<mailto:public-ws-policy@w3.org>
> Subject: Re: Ordering of Assertions: Comment
on WS-Policy Primer LCWD
>
> David:
> Please answer the question. Is it your
position that there
> are no Policies where the order in which the
assertions
> within a Policy Alternative are applied is
important?
>
> Ashok
>
> David Orchard wrote:
>
> >I think the onus is on you to prove
something, rather than
> me to prove
> >nothing, especially if you want the WG to do
something.
> >
> >I know you are arguing that some policies
need ordering.
> I'm arguing
> >you need to show some policies that need
ordering.
> >
> >Cheers,
> >Dave
> >
> >
> >
> >>-----Original Message-----
> >>From: ashok malhotra
[mailto:ashok.malhotra@oracle.com]
> >>Sent: Thursday, October 11, 2007 3:28 AM
> >>To: David Orchard
> >>Cc: public-ws-policy@w3.org
<mailto:public-ws-policy@w3.org>
> >>Subject: Re: Ordering of Assertions:
Comment on WS-Policy
> Primer LCWD
> >>
> >>I'll make it still shorter:
> >>
> >>I'm arguing that SOME policies need
ordering. The Policy Framework
> >>says so and the fact the there are ordering
assertions in WS
> >>SecurityPolicy confirms this.
> >>
> >>Are you arguing that NO policies need
ordering?
> >>
> >>Ashok
> >>
> >>David Orchard wrote:
> >>
> >>
> >>
> >>>I'll make my note even shorter.
> >>>
> >>>What situations are those?
> >>>
> >>>For the 2nd time, you have failed to
specify a single
> situation that
> >>>requires a change to WS-Policy. You've
described a problem that
> >>>already has a solution and quotes from
other people but
> >>>
> >>>
> >>those are not
> >>
> >>
> >>>answers to my question.
> >>>
> >>>In the absence of any real-world problem,
the obvious thing for
> >>>WS-Policy WG to do is to close with no
action.
> >>>
> >>>Cheers,
> >>>Dave
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>-----Original Message-----
> >>>>From: ashok malhotra
[mailto:ashok.malhotra@oracle.com]
> >>>>Sent: Wednesday, October 10, 2007 1:59 PM
> >>>>To: David Orchard
> >>>>Cc: public-ws-policy@w3.org
<mailto:public-ws-policy@w3.org>
> >>>>Subject: Re: Ordering of Assertions:
Comment on WS-Policy
> >>>>
> >>>>
> >>Primer LCWD
> >>
> >>
> >>>>Hi Dave:
> >>>>I used the fact that WS-SecurityPolicy
discusses order to
> >>>>
> >>>>
> >>motivate the
> >>
> >>
> >>>>need for order in at least some policies.
> >>>>I also quoted from the note from Tony
Rogers.
> >>>>
> >>>>
> >>Subsequently, there was
> >>
> >>
> >>>>a note from Bob Natale who agrees that
order is important
> >>>>
> >>>>
> >>but does not
> >>
> >>
> >>>>like the solution I suggested.
> >>>>
> >>>>What needs to be made clear is that order
is not important in all
> >>>>policies, but there are situations where
it is important
> >>>>
> >>>>
> >>and for these
> >>
> >>
> >>>>situations we need a solution.
> >>>>
> >>>>Ashok
> >>>>
> >>>>David Orchard wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>-----Original Message-----
> >>>>>>From: public-ws-policy-request@w3.org
<mailto:public-ws-policy-request@w3.org>
>
>>>>>>[mailto:public-ws-policy-request@w3.org] On Behalf Of
> >>>>>>
> >>>>>>
> >>ashok malhotra
> >>
> >>
> >>>>>>Sent: Wednesday, October 10, 2007 9:56
AM
> >>>>>>To: public-ws-policy@w3.org
<mailto:public-ws-policy@w3.org>
> >>>>>>Subject: Ordering of Assertions:
Comment on WS-Policy
> Primer LCWD
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>><snip/>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>In many cases the
> >>>>>>order in which assertions are processed
may not matter, but
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>where it
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>does matter do we need to specify a
special assertion for
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>every pair
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>of assertions that need to be ordered?
Clearly, this is not
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>feasible
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>as the Policy processing engine will
need to be undated
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>whenever a new
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>ordering assertion is added. So, what
we need is a
> >>>>>>
> >>>>>>
> >>general-purpose
> >>
> >>
> >>>>>>ordering assertion.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>Your note jumps from assumption to
conclusion to design
> with great
> >>>>>speed, indeed from assumption to
conclusion within 3
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>sentences. Those
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>3 fleety sentences do not answer my
previous emails central
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>question of
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>"when does order matter?". In case my
question was
> >>>>>
> >>>>>
> >>missed, perhaps
> >>
> >>
> >>>>>because of burdensom length of my
previous message, I'll ask
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>again more
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>succinctly:
> >>>>>
> >>>>>When does order matter?
> >>>>>
> >>>>>Until the use case is agreed by the WG,
design discussions
> >>>>>
> >>>>>
> >>are very
> >>
> >>
> >>>>>premature IMHO.
> >>>>>
> >>>>>Cheers,
> >>>>>Dave
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>--
> >>>>All the best, Ashok
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>--
> >>All the best, Ashok
> >>
> >>
> >>
>
>
> --
> All the best, Ashok
>
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building,
Shelbourne Road, Dublin 4, Ireland
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin
4, Ireland
Received on Monday, 15 October 2007 12:57:10 UTC