- From: Anish Karmarkar <Anish.Karmarkar@oracle.com>
- Date: Wed, 04 Apr 2007 16:13:44 -0700
- To: Bob Freund <bob@freunds.com>
- CC: Richard Salz <rsalz@us.ibm.com>, WS-Addressing <public-ws-addressing@w3.org>
Bob, I was thinking along the lines of a 'Security Consideration' section that most spec have, where readers are warned about various pitfalls without necessarily going into the details of the pitfalls or the solutions (except for appropriate references). Do you think that is something outside the scope? BTW I would like to point out that WS-Addr core spec already says this about the [metadata] property: "The metadata embedded in an EPR is not necessarily a complete statement of the metadata pertaining to the endpoint. Moreover, while embedded metadata is necessarily valid at the time the EPR is initially created it may become stale at a later point in time. To deal with conflicts between the embedded metadata of two EPRs that have the same [address], or between embedded metadata and metadata obtained from a different source, or to ascertain the current validity of embedded metadata, mechanisms that are outside of the scope of this specification, such as EPR life cycle information (see 2.4 Endpoint Reference Lifecycle) or retrieval of metadata from an authoritative source, SHOULD be used." There is also a 'Security Consideration' section in ws-addr core that does talk about various pitfalls. At the very least the Policy/EPR attachment spec can point to that. -Anish -- Bob Freund wrote: > Maybe they are, but the WS-Addressing WG is not the place IMO for that > to be developed since, beyond other things, I think it exceeds our scope > and our level of understanding or influence to describe potentially > conflicting policies. > I note also that this issue was raised in the WS-Policy WG and closed > with no action. > Thanks > -bob > >> -----Original Message----- >> From: public-ws-addressing-request@w3.org > [mailto:public-ws-addressing- >> request@w3.org] On Behalf Of Anish Karmarkar >> Sent: Wednesday, April 04, 2007 3:18 PM >> To: Richard Salz >> Cc: WS-Addressing >> Subject: Re: Need for new Rec or TR on attaching policy to EPR >> >> >> I certainly agree with that: dangers and concerns exists and should be >> documented. >> >> -Anish >> -- >> >> Richard Salz wrote: >>> Anish, >>> >>> I'm not saying that they're all not useful and valid things to do >>> (although I admit I can't see why putting a WSDL in an EPR is >> useful), I >>> am just pointing out that there are dangerous, and non-obvious, >> security >>> concerns. Any document that gets written should at least explain >> them. >>> /r$ >>> -- >>> STSM >>> Senior Security Architect >>> DataPower SOA Appliances >>>
Received on Wednesday, 4 April 2007 23:18:36 UTC