W3C home > Mailing lists > Public > www-ws-arch@w3.org > November 2002

RE: [wss] Issue on WS-Security and WSDL definitions

From: David Orchard <dorchard@bea.com>
Date: Sun, 17 Nov 2002 19:43:58 -0800
To: "'Rich Salz'" <rsalz@datapower.com>
Cc: <wss@lists.oasis-open.org>, <www-ws-arch@w3.org>
Message-ID: <027601c28eb4$bb1f66d0$2b0ba8c0@beasys.com>

Hi Rich,

Apologies for my delay, it's been a crazy few weeks of meetings.

I think the issue around WSDL is that it is possible to have many different
ways of expressing the requirements on the header.  And it would be good
have a clean and interoperable way of expressing these.  WSDL 1.1 and 1.2
provide frameworks for extension to specify required headers.  Clearly wsdl
WG won't define specific extensions for  various header blocks, so this
discussion is orthogonal to wsdl wg's work.

Currently, the ws-security header element is fairly generic.  It's really
the contents of the header that a service will be interested in specifying.
For example, a service could say that message integrity is required.  I'll
avoid for the purposes of this discussion about the extent of the potential
properties that might also be required, such as CA, particular type of c14n,
etc.  So how does an application specify that message integrity is required?
Simply saying the header is required probably does very little for interop.

And now for my $.02 worth of some similar context.

SAML went through a similar issue, which was how does one query for a
particular type of assertion data.  There was movement away from generic
assertion to strongly typed assertions specifically because of the
difficulty in writing interoperable constructs(queries) that specify the
response data, including types.  WS-Security without WSDL is akin to SAML
Assertions without SAML queries.  There would be no way of having SAML
interop without SAML Queries - simply saying that SAML should define
assertions wasn't nearly sufficient.  I know the analogy isn't perfect, but
it shows a similar relationship.  I personally foresee similar kinds of
difficulties in defining requirements on ws-security content for a service.
The ability to clearly specify the data requirements for ws-security header
element in a WSDL document is crucial for real interop, and particularly
interop without some kind of private agreement.  And it seems that defining
the WSDL extensions for ws-security is better done in the oasis ws-security
tc, rather than somewhere else like ws-i.

Cheers,
Dave

> -----Original Message-----
> From: Rich Salz [mailto:rsalz@datapower.com]
> Sent: Monday, November 11, 2002 7:01 PM
> To: David Orchard
> Cc: wss@lists.oasis-open.org; www-ws-arch@w3.org
> Subject: Re: [wss] Issue on WS-Security and WSDL definitions
>
>
> Dave,
>
> I'm not current on WSDL 1.2, but can you explain a bit how WSDL fits
> in here?  It seems to me that a stand-alone specification should just
> define the semantics of its elements.  If an application wants those
> semantics, then the application WSDL should specify the header as
> being required.
>
> What am I missing?
> 	/r$
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
Received on Sunday, 17 November 2002 22:44:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:25:10 GMT