- From: Bob Freund <bob@freunds.com>
- Date: Wed, 04 Apr 2007 20:28:04 -0400
- To: "Anish Karmarkar" <Anish.Karmarkar@oracle.com>
- Cc: "Richard Salz" <rsalz@us.ibm.com>, "WS-Addressing" <public-ws-addressing@w3.org>
Security considerations are not a bad thing and I would support that, however I think that a discussion of the use of the metadata property with respect to WS-policy and how it fits with respect to any other policy expression would worry me very much. -bob > -----Original Message----- > From: Anish Karmarkar [mailto:Anish.Karmarkar@oracle.com] > Sent: Wednesday, April 04, 2007 7:14 PM > To: Bob Freund > Cc: Richard Salz; WS-Addressing > Subject: Re: Need for new Rec or TR on attaching policy to EPR > > Bob, > > I was thinking along the lines of a 'Security Consideration' section > that most spec have, where readers are warned about various pitfalls > without necessarily going into the details of the pitfalls or the > solutions (except for appropriate references). > > Do you think that is something outside the scope? > > BTW I would like to point out that WS-Addr core spec already says this > about the [metadata] property: > > "The metadata embedded in an EPR is not necessarily a complete > statement > of the metadata pertaining to the endpoint. Moreover, while embedded > metadata is necessarily valid at the time the EPR is initially created > it may become stale at a later point in time. > > To deal with conflicts between the embedded metadata of two EPRs that > have the same [address], or between embedded metadata and metadata > obtained from a different source, or to ascertain the current validity > of embedded metadata, mechanisms that are outside of the scope of this > specification, such as EPR life cycle information (see 2.4 Endpoint > Reference Lifecycle) or retrieval of metadata from an authoritative > source, SHOULD be used." > > There is also a 'Security Consideration' section in ws-addr core that > does talk about various pitfalls. At the very least the Policy/EPR > attachment spec can point to that. > > -Anish > -- > > Bob Freund wrote: > > Maybe they are, but the WS-Addressing WG is not the place IMO for > that > > to be developed since, beyond other things, I think it exceeds our > scope > > and our level of understanding or influence to describe potentially > > conflicting policies. > > I note also that this issue was raised in the WS-Policy WG and closed > > with no action. > > Thanks > > -bob > > > >> -----Original Message----- > >> From: public-ws-addressing-request@w3.org > > [mailto:public-ws-addressing- > >> request@w3.org] On Behalf Of Anish Karmarkar > >> Sent: Wednesday, April 04, 2007 3:18 PM > >> To: Richard Salz > >> Cc: WS-Addressing > >> Subject: Re: Need for new Rec or TR on attaching policy to EPR > >> > >> > >> I certainly agree with that: dangers and concerns exists and should > be > >> documented. > >> > >> -Anish > >> -- > >> > >> Richard Salz wrote: > >>> Anish, > >>> > >>> I'm not saying that they're all not useful and valid things to do > >>> (although I admit I can't see why putting a WSDL in an EPR is > >> useful), I > >>> am just pointing out that there are dangerous, and non-obvious, > >> security > >>> concerns. Any document that gets written should at least explain > >> them. > >>> /r$ > >>> -- > >>> STSM > >>> Senior Security Architect > >>> DataPower SOA Appliances > >>>
Received on Thursday, 5 April 2007 00:27:06 UTC