W3C home > Mailing lists > Public > public-ws-policy@w3.org > October 2007

Re: Ordering of Assertions: Comment on WS-Policy Primer LCWD

From: Sergey Beryozkin <sergey.beryozkin@iona.com>
Date: Mon, 15 Oct 2007 16:11:33 +0100
Message-ID: <014601c80f3d$abeb5ed0$e002050a@pcgroupiona.com>
To: <ashok.malhotra@oracle.com>, "Asir Vedamuthu" <asirveda@microsoft.com>
Cc: "David Orchard" <dorchard@bea.com>, <public-ws-policy@w3.org>
Hi Ashok

Do you agree with this statement :

>>(a) Order of assertions in a policy alternative and order in which behaviors are applied are TWO distinct concepts 

I believe the SOAP example was given to demonstrate this idea...

Cheers, Sergey


> 
> Asir:
> It is reductive to think of WS-Policy only in terms of its applicability 
> to SOAP messages and headers.  It applies equally well to other message 
> formats and, more importantly, can be used to control and configure many 
> other aspects of web services.
> 
> Ashok
> 
> Asir Vedamuthu wrote:
> 
>>Thank you Dave for asking the right question and keeping the discussion focused!
>>
>>
>>Replaying Dave's key question - when does the order of assertions in a policy alternative matter? Reading through the mail archive (~19 mails), it appears that no one has answered your question with "real" assertions.
>>
>>I want to be super clear on facts ...
>>
>>(a) Order of assertions in a policy alternative and order in which behaviors are applied are TWO distinct concepts (let's not conflate them).
>>
>>The former is governed by the WS-Policy Framework [1] - says unordered.
>>
>>The latter (order in which behaviors such as addressing, security, reliability and transaction is applied) is governed by SOAP and SOAP-based protocols [2]. The order of headers and body processing is at the DISCRETION of the SOAP node and SOAP headers may be used to control the order of processing.
>>
>>(b) Order of assertions in a policy alternative has NO bearing on the order in which behaviors are applied [1].
>>
>>(c) The WS-SecurityPolicy spec does NOT rely on the order of assertions in a policy alternative [3].
>>
>>(d) The WS-Security spec provides producers with an option to use [encrypt, sign] or [sign, encrypt] [4]. The WS-SecurityPolicy spec provides assertions [5] to indicate the order of these cryptographic operations (runtime behavior) on a message.
>>
>>Let's look at examples with "real" assertions. The order of assertions in the following policies P1-P4 (and their nested policies) are different but the policies are effectively the SAME.
>>
>>P1)
>><Policy>
>>  <sp:AsymmetricBinding>
>>    <Policy>
>>     ...
>>     <sp:IncludeTimestamp />
>>     <sp:EncryptBeforeSigning />
>>     <sp:EncryptSignature />
>>     <sp:ProtectTokens />
>>   </Policy>
>>  </sp:AsymmetricBinding>
>>  <wsam:Addressing>...</wsam:Addressing>
>>  ...
>></Policy>
>>
>>P2)
>><Policy>
>>  <wsam:Addressing>...</wsam:Addressing>
>>  <sp:AsymmetricBinding>
>>    <Policy>
>>     ...
>>     <sp:IncludeTimestamp />
>>     <sp:EncryptBeforeSigning />
>>     <sp:EncryptSignature />
>>     <sp:ProtectTokens />
>>   </Policy>
>>  </sp:AsymmetricBinding>
>>  ...
>></Policy>
>>
>>P3)
>><Policy>
>>  <wsam:Addressing>...</wsam:Addressing>
>>  <sp:AsymmetricBinding>
>>    <Policy>
>>     ...
>>     <sp:IncludeTimestamp />
>>     <sp:EncryptSignature />
>>     <sp:ProtectTokens />
>>     <sp:EncryptBeforeSigning />
>>   </Policy>
>>  </sp:AsymmetricBinding>
>>  ...
>></Policy>
>>
>>P4)
>><Policy>
>>  <wsam:Addressing>...</wsam:Addressing>
>>  <sp:AsymmetricBinding>
>>    <Policy>
>>     ...
>>     <sp:EncryptBeforeSigning />
>>     <sp:IncludeTimestamp />
>>     <sp:EncryptSignature />
>>     <sp:ProtectTokens />
>>   </Policy>
>>  </sp:AsymmetricBinding>
>>  ...
>></Policy>
>>
>>[1] http://www.w3.org/TR/2007/REC-ws-policy-20070904/#rPolicy_Alternative
>>[2] http://www.w3.org/TR/2003/REC-soap12-part1-20030624/#procsoapmsgs
>>[3] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826510
>>[4] WS-Security 1.1 - see section 8, lines 1173-1183 - " "Finally, if a producer wishes to sign a message before encryption, then following the ordering rules laid out in section 5, "Security Header", they SHOULD first prepend the signature element to the <wsse:Security> header, and then prepend the encryption element, ... Likewise, if a producer wishes to sign a message after encryption, they SHOULD first prepend the encryption element to the <wsse:Security> header, and then prepend the signature element." "
>>- http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf
>>[5] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826549
>>
>>Regards,
>>
>>Asir S Vedamuthu
>>Microsoft Corporation
>>
>>
>>-----Original Message-----
>>From: public-ws-policy-request@w3.org [mailto:public-ws-policy-request@w3.org] On Behalf Of David Orchard
>>Sent: Thursday, October 11, 2007 1:59 PM
>>To: ashok.malhotra@oracle.com
>>Cc: public-ws-policy@w3.org
>>Subject: RE: Ordering of Assertions: Comment on WS-Policy Primer LCWD
>>
>>
>>I asked my question first, and it's up to you to prove that work needs
>>to be done, not the other way around.  That said, you don't seem to have
>>any intention of answering my question as you've decided to respond to
>>my question with a question.  I learned from "Rosencrantz and
>>Guildenstern are dead" not to play the question game.
>>
>>Cheers,
>>Dave
>>
>>  
>>
>>>-----Original Message-----
>>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com]
>>>Sent: Thursday, October 11, 2007 1:33 PM
>>>To: David Orchard
>>>Cc: public-ws-policy@w3.org
>>>Subject: Re: Ordering of Assertions: Comment on WS-Policy Primer LCWD
>>>
>>>David:
>>>Please answer the question.  Is it your position that there
>>>are no Policies where the order in which the assertions
>>>within a Policy Alternative are applied is important?
>>>
>>>Ashok
>>>
>>>David Orchard wrote:
>>>
>>>    
>>>
>>>>I think the onus is on you to prove something, rather than
>>>>      
>>>>
>>>me to prove
>>>    
>>>
>>>>nothing, especially if you want the WG to do something.
>>>>
>>>>I know you are arguing that some policies need ordering.
>>>>      
>>>>
>>>I'm arguing
>>>    
>>>
>>>>you need to show some policies that need ordering.
>>>>
>>>>Cheers,
>>>>Dave
>>>>
>>>>
>>>>
>>>>      
>>>>
>>>>>-----Original Message-----
>>>>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com]
>>>>>Sent: Thursday, October 11, 2007 3:28 AM
>>>>>To: David Orchard
>>>>>Cc: public-ws-policy@w3.org
>>>>>Subject: Re: Ordering of Assertions: Comment on WS-Policy
>>>>>        
>>>>>
>>>Primer LCWD
>>>    
>>>
>>>>>I'll make it still shorter:
>>>>>
>>>>>I'm arguing that SOME policies need ordering.  The Policy Framework
>>>>>says so and the fact the there are ordering assertions in WS
>>>>>SecurityPolicy confirms this.
>>>>>
>>>>>Are you arguing that NO policies need ordering?
>>>>>
>>>>>Ashok
>>>>>
>>>>>David Orchard wrote:
>>>>>
>>>>>
>>>>>
>>>>>        
>>>>>
>>>>>>I'll make my note even shorter.
>>>>>>
>>>>>>What situations are those?
>>>>>>
>>>>>>For the 2nd time, you have failed to specify a single
>>>>>>          
>>>>>>
>>>situation that
>>>    
>>>
>>>>>>requires a change to WS-Policy.  You've described a problem that
>>>>>>already has a solution and quotes from other people but
>>>>>>
>>>>>>
>>>>>>          
>>>>>>
>>>>>those are not
>>>>>
>>>>>
>>>>>        
>>>>>
>>>>>>answers to my question.
>>>>>>
>>>>>>In the absence of any real-world problem, the obvious thing for
>>>>>>WS-Policy WG to do is to close with no action.
>>>>>>
>>>>>>Cheers,
>>>>>>Dave
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>          
>>>>>>
>>>>>>>-----Original Message-----
>>>>>>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com]
>>>>>>>Sent: Wednesday, October 10, 2007 1:59 PM
>>>>>>>To: David Orchard
>>>>>>>Cc: public-ws-policy@w3.org
>>>>>>>Subject: Re: Ordering of Assertions: Comment on WS-Policy
>>>>>>>
>>>>>>>
>>>>>>>            
>>>>>>>
>>>>>Primer LCWD
>>>>>
>>>>>
>>>>>        
>>>>>
>>>>>>>Hi Dave:
>>>>>>>I used the fact that WS-SecurityPolicy discusses order to
>>>>>>>
>>>>>>>
>>>>>>>            
>>>>>>>
>>>>>motivate the
>>>>>
>>>>>
>>>>>        
>>>>>
>>>>>>>need for order in at least some policies.
>>>>>>>I also quoted from the note from Tony Rogers.
>>>>>>>
>>>>>>>
>>>>>>>            
>>>>>>>
>>>>>Subsequently, there was
>>>>>
>>>>>
>>>>>        
>>>>>
>>>>>>>a note from Bob Natale who agrees that order is important
>>>>>>>
>>>>>>>
>>>>>>>            
>>>>>>>
>>>>>but does not
>>>>>
>>>>>
>>>>>        
>>>>>
>>>>>>>like the solution I suggested.
>>>>>>>
>>>>>>>What needs to be made clear is that order is not important in all
>>>>>>>policies, but there are situations where it is important
>>>>>>>
>>>>>>>
>>>>>>>            
>>>>>>>
>>>>>and for these
>>>>>
>>>>>
>>>>>        
>>>>>
>>>>>>>situations we need a solution.
>>>>>>>
>>>>>>>Ashok
>>>>>>>
>>>>>>>David Orchard wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>            
>>>>>>>
>>>>>>>>>-----Original Message-----
>>>>>>>>>From: public-ws-policy-request@w3.org
>>>>>>>>>[mailto:public-ws-policy-request@w3.org] On Behalf Of
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                
>>>>>>>>>
>>>>>ashok malhotra
>>>>>
>>>>>
>>>>>        
>>>>>
>>>>>>>>>Sent: Wednesday, October 10, 2007 9:56 AM
>>>>>>>>>To: public-ws-policy@w3.org
>>>>>>>>>Subject: Ordering of Assertions: Comment on WS-Policy
>>>>>>>>>                
>>>>>>>>>
>>>Primer LCWD
>>>    
>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                
>>>>>>>>>
>>>>>>>><snip/>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>              
>>>>>>>>
>>>>>>>>>In many cases the
>>>>>>>>>order in which assertions are processed may not matter, but
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                
>>>>>>>>>
>>>>>>>where it
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>            
>>>>>>>
>>>>>>>>>does matter do we need to specify a special assertion for
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                
>>>>>>>>>
>>>>>>>every pair
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>            
>>>>>>>
>>>>>>>>>of assertions that need to be ordered? Clearly, this is not
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                
>>>>>>>>>
>>>>>>>feasible
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>            
>>>>>>>
>>>>>>>>>as the Policy processing engine will need to be undated
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                
>>>>>>>>>
>>>>>>>whenever a new
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>            
>>>>>>>
>>>>>>>>>ordering assertion is added. So, what we need is a
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                
>>>>>>>>>
>>>>>general-purpose
>>>>>
>>>>>
>>>>>        
>>>>>
>>>>>>>>>ordering assertion.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                
>>>>>>>>>
>>>>>>>>Your note jumps from assumption to conclusion to design
>>>>>>>>              
>>>>>>>>
>>>with great
>>>    
>>>
>>>>>>>>speed, indeed from assumption to conclusion within 3
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>              
>>>>>>>>
>>>>>>>sentences.  Those
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>            
>>>>>>>
>>>>>>>>3 fleety sentences do not answer my previous emails central
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>              
>>>>>>>>
>>>>>>>question of
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>            
>>>>>>>
>>>>>>>>"when does order matter?".  In case my question was
>>>>>>>>
>>>>>>>>
>>>>>>>>              
>>>>>>>>
>>>>>missed, perhaps
>>>>>
>>>>>
>>>>>        
>>>>>
>>>>>>>>because of burdensom length of my previous message, I'll ask
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>              
>>>>>>>>
>>>>>>>again more
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>            
>>>>>>>
>>>>>>>>succinctly:
>>>>>>>>
>>>>>>>>When does order matter?
>>>>>>>>
>>>>>>>>Until the use case is agreed by the WG, design discussions
>>>>>>>>
>>>>>>>>
>>>>>>>>              
>>>>>>>>
>>>>>are very
>>>>>
>>>>>
>>>>>        
>>>>>
>>>>>>>>premature IMHO.
>>>>>>>>
>>>>>>>>Cheers,
>>>>>>>>Dave
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>              
>>>>>>>>
>>>>>>>--
>>>>>>>All the best, Ashok
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>            
>>>>>>>
>>>>>>
>>>>>>
>>>>>>          
>>>>>>
>>>>>--
>>>>>All the best, Ashok
>>>>>
>>>>>
>>>>>
>>>>>        
>>>>>
>>>--
>>>All the best, Ashok
>>>
>>>    
>>>
>>
>>
>>  
>>
> 
> 
> -- 
> All the best, Ashok

----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
Received on Monday, 15 October 2007 15:13:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:20:53 GMT