- From: Prasad Yendluri via cvs-syncmail <cvsmail@w3.org>
- Date: Mon, 22 Jan 2007 18:21:17 +0000
- To: public-ws-policy-eds@w3.org
Update of /sources/public/2006/ws/policy In directory hutz:/tmp/cvs-serv17081 Modified Files: ws-policy-primer.html ws-policy-framework.html Log Message: Versions reflecting implementation for resolution for issue 4141 Index: ws-policy-primer.html =================================================================== RCS file: /sources/public/2006/ws/policy/ws-policy-primer.html,v retrieving revision 1.33 retrieving revision 1.34 diff -u -d -r1.33 -r1.34 --- ws-policy-primer.html 19 Jan 2007 00:09:05 -0000 1.33 +++ ws-policy-primer.html 22 Jan 2007 18:21:14 -0000 1.34 @@ -615,7 +615,8 @@ policy.</p><p>The assertion parameters are the opaque payload of an assertion. Parameters carry additional useful pieces of information necessary for engaging the behavior described by an assertion. In the XML representation, the child elements and attributes of an assertion - are the assertion parameters.</p><p>We considered nested policy expressions in the context of a security usage scenario. Let + excluding the child elements and attributes from the WS-Policy language XML namespace name, + are the assertion parameters. For example @wsp:Optional and @wsp:Ignorable are not assertion parameters.</p><p>We considered nested policy expressions in the context of a security usage scenario. Let us look at its shape in the policy data model. In the normal form, a nested policy is a policy that has at most one policy alternative and is owned by its parent policy assertion. The policy alternative in a nested policy represents a collection of dependent @@ -1263,4 +1264,6 @@ <a href="http://www.w3.org/Bugs/Public/show_bug.cgi?id=4041">issue 4041</a> <a href="http://www.w3.org/2007/01/18-ws-policy-irc#T22-09-36">resolution</a> corresponding to Editors' action <a href="http://www.w3.org/2005/06/tracker/wspolicyeds/actions/143">143</a>. - </td></tr></tbody></table><br></div></div></body></html> \ No newline at end of file + </td></tr><tr><td rowspan="1" colspan="1">20070122</td><td rowspan="1" colspan="1">PY</td><td rowspan="1" colspan="1">Completed action item: + <a href="http://www.w3.org/2005/06/tracker/wspolicyeds/actions/118">118</a> + Resolution for issue <a href="http://www.w3.org/Bugs/Public/show_bug.cgi?id=4141">4141</a></td></tr></tbody></table><br></div></div></body></html> \ No newline at end of file Index: ws-policy-framework.html =================================================================== RCS file: /sources/public/2006/ws/policy/ws-policy-framework.html,v retrieving revision 1.80 retrieving revision 1.81 diff -u -d -r1.80 -r1.81 --- ws-policy-framework.html 16 Jan 2007 22:09:00 -0000 1.80 +++ ws-policy-framework.html 22 Jan 2007 18:21:14 -0000 1.81 @@ -67,16 +67,16 @@ <h2><a name="tocRange"></a>1. Introduction</h2><p>Web Services Policy 1.5 - Framework defines a framework and a model for expressing policies that refer to domain-specific capabilities, requirements, and general characteristics of entities in a Web services-based system. - </p><p>A <a title="policy" href="#policy">policy</a> is a collection of policy alternatives, - where a <a title="policy alternative" href="#policy_alternative">policy alternative </a> is a collection of policy assertions. + </p><p>A <a title="policy" href="#policy">policy</a> is a collection of policy alternatives. A + <a title="policy alternative" href="#policy_alternative">policy alternative </a> is a collection of policy assertions. A <a title="policy assertion" href="#policy_assertion">policy assertion</a> represents an individual requirement, capability, or other property of a behavior. - A <a title="policy expression" href="#policy_expression">policy expression</a> is an XML Infoset representation of a policy, - either in a normal form or in an equivalent compact form. Some policy assertions + A <a title="policy expression" href="#policy_expression">policy expression</a> is an XML Infoset representation of its policy, + either in a normal form or in its equivalent compact form. Some policy assertions specify traditional requirements and capabilities that - will ultimately manifest on the wire (e.g., authentication + will manifest themselves in the messages exchanged(e.g., authentication scheme, transport protocol selection). Other policy - assertions have no wire manifestation yet are critical to - proper service selection and usage (e.g., privacy policy, + assertions have no wire manifestation in the messages exchanged, yet are relevant to + service selection and usage (e.g., privacy policy, QoS characteristics). Web Services Policy 1.5 - Framework provides a single policy language to allow both kinds of assertions to be expressed and evaluated in a consistent manner.</p><p>Web Services Policy 1.5 - Framework does not specify policy discovery or @@ -96,7 +96,7 @@ (01) <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" > + xmlns:wsp="http://www.w3.org/ns/ws-policy" > (02) <wsp:ExactlyOne> (03) <wsp:All> (04) <sp:SignedParts/> @@ -121,7 +121,7 @@ to indicate cardinality:</p><ul><li><p>"?" (0 or 1)</p></li><li><p>"*" (0 or more)</p></li><li><p>"+" (1 or more)</p></li></ul></li><li><p>The character "|" is used to indicate a choice between alternatives.</p></li><li><p>The characters "(" and ")" are used to indicate that contained items are to be treated as a group with - respect to cardinality or choice.</p></li><li><p>This document relies on the XML Information Set [<cite><a href="#XMLInfoset">XML Information Set</a></cite>]. Information items properties are + respect to cardinality or choice.</p></li><li><p>This document relies on the XML Information Set [<cite><a href="#XMLInfoset">XML Information Set</a></cite>]. Information item properties are indicated by the style <strong>[infoset property]</strong>.</p></li><li><p>XML namespace prefixes (see <a href="#nsprefix">Table 2-1</a>) are used to indicate the namespace of the element or attribute being defined.</p></li><li><p>The ellipses characters "…" are used to @@ -147,9 +147,9 @@ <span class="rfc2119">MUST</span> be treated as an assertion.</p></div><div class="div2"> <h3><a name="XML_Namespaces"></a>2.3 XML Namespaces</h3><p> This specification uses a number of namespace prefixes throughout; they are listed in <a href="#nsprefix">Table 2-1</a>. Note that the choice of any namespace - prefix is arbitrary and not semantically significant (see [<cite><a href="#XML-NS">XML Namespaces</a></cite>]).</p><a name="nsprefix"></a><table summary="Namespace prefixes usage in this specification" border="1" cellspacing="0" cellpadding="5"><caption>Table 2-1. Prefixes and Namespaces used in this specification</caption><thead><tr><th rowspan="1" colspan="1">Prefix</th><th rowspan="1" colspan="1">Namespace</th><th rowspan="1" colspan="1">Specification</th></tr></thead><tbody><tr><td rowspan="1" colspan="1"><code>sp</code></td><td rowspan="1" colspan="1"><code>http://schemas.xmlsoap.org/ws/2005/07/securitypolicy</code></td><td rowspan="1" colspan="1">[<cite><a href="#WS-SecurityPolicy">WS-SecurityPolicy</a></cite>]</td></tr><tr><td rowspan="1" colspan="1"><code>wsp</code></td><td rowspan="1" colspan="1"><code>http://www.w3.org/@@@@/@@/ws-policy</code></td><td rowspan="1" colspan="1">This specification</td></tr><tr><td rowspan="1" colspan="1"><code>wsu</code></td><td rowspan="1" colspa="1"><code>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd</code></td><td rowspan="1" colspan="1">[<cite><a href="#WS-Security">WS-Security 2004</a></cite>]</td></tr><tr><td rowspan="1" colspan="1"><code>xs</code></td><td rowspan="1" colspan="1"><code>http://www.w3.org/2001/XMLSchema</code></td><td rowspan="1" colspan="1">[<cite><a href="#XMLSchemaPart1">XML Schema Structures</a></cite>]</td></tr></tbody></table><br><p>All information items defined by this specification - are identified by the XML namespace URI [<cite><a href="#XML-NS">XML Namespaces</a></cite>] <code>http://www.w3.org/@@@@/@@/ws-policy</code>. A <a href="http://www.w3.org/@@@@/@@/ws-policy">normative XML Schema</a> [<cite><a href="#XMLSchemaPart1">XML Schema Structures</a></cite>, <cite><a href="#XMLSchemaPart2">XML Schema Datatypes</a></cite>] document can be obtained by - dereferencing the XML namespace URI.</p><p>It is the intent of the W3C Web Services Policy Working Group that + prefix is arbitrary and not semantically significant (see [<cite><a href="#XML-NS">XML Namespaces</a></cite>]).</p><a name="nsprefix"></a><table summary="Namespace prefixes usage in this specification" border="1" cellspacing="0" cellpadding="5"><caption>Table 2-1. Prefixes and Namespaces used in this specification</caption><thead><tr><th rowspan="1" colspan="1">Prefix</th><th rowspan="1" colspan="1">Namespace</th><th rowspan="1" colspan="1">Specification</th></tr></thead><tbody><tr><td rowspan="1" colspan="1"><code>sp</code></td><td rowspan="1" colspan="1"><code>http://schemas.xmlsoap.org/ws/2005/07/securitypolicy</code></td><td rowspan="1" colspan="1">[<cite><a href="#WS-SecurityPolicy">WS-SecurityPolicy</a></cite>]</td></tr><tr><td rowspan="1" colspan="1"><code>wsp</code></td><td rowspan="1" colspan="1"><code>http://www.w3.org/ns/ws-policy</code></td><td rowspan="1" colspan="1">This specification</td></tr><tr><td rowspan="1" colspan="1"><code>wsu</code></td><td rowspan="1" colspan="1"<code>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd</code></td><td rowspan="1" colspan="1">[<cite><a href="#WS-Security">WS-Security 2004</a></cite>]</td></tr><tr><td rowspan="1" colspan="1"><code>xs</code></td><td rowspan="1" colspan="1"><code>http://www.w3.org/2001/XMLSchema</code></td><td rowspan="1" colspan="1">[<cite><a href="#XMLSchemaPart1">XML Schema Structures</a></cite>]</td></tr></tbody></table><br><p>All information items defined by this specification + are identified by the XML namespace URI [<cite><a href="#XML-NS">XML Namespaces</a></cite>] <code>http://www.w3.org/ns/ws-policy</code>. A <a href="http://www.w3.org/ns/ws-policy">normative XML Schema</a> [<cite><a href="#XMLSchemaPart1">XML Schema Structures</a></cite>, <cite><a href="#XMLSchemaPart2">XML Schema Datatypes</a></cite>] document can be obtained by + dereferencing the namespace document at the WS-Policy 1.5 namespace URI.</p><p>It is the intent of the W3C Web Services Policy Working Group that the Web Services Policy 1.5 - Framework and Web Services Policy 1.5 - Attachment XML namespace URI will not change arbitrarily with each subsequent revision of the corresponding XML Schema documents but rather change only when a subsequent revision, @@ -254,8 +254,9 @@ assertion. For example, security policy authors may define an assertion describing a set of security algorithms to qualify the specific behavior of a security - binding assertion. </p><p>The XML Infoset of a <a title="policy assertion" href="#policy_assertion">policy assertion</a> <span class="rfc2119">MAY</span> contain a non-empty <strong>[attributes]</strong> property and/or a non-empty <strong>[children]</strong> - property. Such properties are <a title="policy assertion parameter" href="#policy_assertion_parameter">policy assertion parameters</a> + binding assertion. </p><p>The XML Infoset of a <a title="policy assertion" href="#policy_assertion">policy assertion</a> <span class="rfc2119">MAY</span> contain a non-empty <strong>[attributes]</strong> property and/or a non-empty <strong>[children]</strong> property. + Such properties, excluding the Attribute and Element Information Items from the WS-Policy language + XML namespace name are <a title="policy assertion parameter" href="#policy_assertion_parameter">policy assertion parameters</a> and <span class="rfc2119">MAY</span> be used to parameterize the behavior indicated by the assertion. [<a name="policy_assertion_parameter" title="policy assertion parameter">Definition</a>: A <b>policy assertion parameter</b> @@ -354,12 +355,7 @@ either in a normal form or in an equivalent compact form.] </p><p> The normal form of a policy expression is the most straightforward Infoset representation; equivalent, alternative Infosets allow compactly - expressing a policy through a number of constructs.</p><p>This specification does not define processing for arbitrary <code class="elt">wsp:Policy</code> - Element Information Items in any context other than as an Element Information Item - in the <strong>[children]</strong> property of an Element - Information Item that is in the <strong>[children]</strong> - property of an element Information Item defined in section 4.1 below. - </p><div class="div2"> + expressing a policy through a number of constructs.</p><div class="div2"> <h3><a name="Normal_Form_Policy_Expression"></a>4.1 Normal Form Policy Expression</h3><p>To facilitate interoperability, this specification defines a normal form for <a title="policy expression" href="#policy_expression">policy expressions</a> that is a straightforward XML Infoset representation of a @@ -386,7 +382,7 @@ contain at most one policy alternative (see <a href="#Policy_Assertion_Nesting"><b>4.3.2 Policy Assertion Nesting</b></a>).</p><p>To simplify processing and improve interoperability, the normal form of a policy expression <span class="rfc2119">SHOULD</span> be used where practical.</p><p>For example, the following is the normal form of a policy expression.</p><div class="exampleInner"><pre>(01) <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" > + xmlns:wsp="http://www.w3.org/ns/ws-policy" > (02) <wsp:ExactlyOne> (03) <wsp:All> (04) <sp:SignedParts/> @@ -430,11 +426,11 @@ expression with the absolute IRI <code>"http://www.example.com/policies/P1"</code>:</p><div class="exampleInner"><pre>(01) <wsp:Policy Name="http://www.example.com/policies/P1" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" > + xmlns:wsp="http://www.w3.org/ns/ws-policy" > (02) <!-- Details omitted for readability --> (03) </wsp:Policy></pre></div><p>The following example illustrates how to associate a policy expression with the IRI-reference <code>"#P1"</code>:</p><div class="exampleInner"><pre>(01) <wsp:Policy wsu:Id="P1" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" + xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > (02) <!-- Details omitted for readability --> (03) </wsp:Policy></pre></div></div><div class="div2"> @@ -448,14 +444,14 @@ expression by the following procedure:</p><ol><li><p>Start with the <strong>[document element]</strong> property D of the Document Information Item (as defined in the XML Information Set [<cite><a href="#XMLInfoset">XML Information Set</a></cite>]) of the policy expression. The <strong>[namespace -name]</strong> of D is always <code>"http://www.w3.org/@@@@/@@/ws-policy"</code>. In the base case, +name]</strong> of D is always <code>"http://www.w3.org/ns/ws-policy"</code>. In the base case, the <strong>[local name]</strong> property of D is <code>"Policy"</code>; in the recursive case, the <strong>[local name]</strong> property of D is <code>"Policy"</code>, <code>"ExactlyOne"</code>, or <code>"All"</code>.</p></li><li><p>Expand Element Information Items (as defined in the XML Information Set [<cite><a href="#XMLInfoset">XML Information Set</a></cite>]) in the <strong>[children]</strong> property of D that are policy references per Section <a href="#Policy_Inclusion"><b>4.3.5 Policy Inclusion</b></a>.</p></li><li><p>Convert each Element Information Item C in the <strong>[children]</strong> property of D into normal form.</p><ol><li><p>If the <strong>[namespace name]</strong> -property of C is <code>"http://www.w3.org/@@@@/@@/ws-policy"</code> and the <strong>[local +property of C is <code>"http://www.w3.org/ns/ws-policy"</code> and the <strong>[local name]</strong> property of C is <code>"Policy"</code>, <code>"ExactlyOne"</code>, or <code>"All"</code>, C is an expression of a policy operator; normalize C by recursively applying this @@ -482,11 +478,11 @@ attribute with a value of false, but policy parsers must accept this attribute with a value of false.</p></dd></dl><p>For example, the following compact policy expression:</p><div class="exampleInner"><pre>(01) <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" > + xmlns:wsp="http://www.w3.org/ns/ws-policy" > (02) <sp:IncludeTimestamp wsp:Optional="true" /> (03) </wsp:Policy></pre></div><p>is equivalent to the following normal form policy expression:</p><div class="exampleInner"><pre>(01) <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" > + xmlns:wsp="http://www.w3.org/ns/ws-policy" > (02) <wsp:ExactlyOne> (03) <wsp:All> (04) <sp:IncludeTimestamp /> @@ -522,9 +518,17 @@ compatible and an intersection would not fail (see Section <a href="#Policy_Intersection"><b>4.5 Policy Intersection</b></a>).</p><p>Note: This specification does not define processing for arbitrary <code class="elt">wsp:Policy</code> Element Information Items in the descendants -of an assertion parameter, e.g., in the <strong>[children]</strong> property of one of the <strong>[children]</strong> as in -<code><Lorem><Ipsum><wsp:Policy> … -</wsp:Policy></Ipsum></Lorem></code>.</p></dd></dl><p>Policy assertions containing a nested policy expression are +of an assertion parameter, e.g., in the <strong>[children]</strong> property of one of the <strong>[children]</strong> as in: +<div class="exampleInner"><pre> +(01)<wsp:Policy> +(02) <Lorem> +(03) <Ipsum> +(04) <wsp:Policy> +(05) … +(06) </wsp:Policy> +(07) </Ipsum> +(08) </Lorem> +(09)</wsp:Policy></pre></div>.</p></dd></dl><p>Policy assertions containing a nested policy expression are normalized recursively. The nesting of a policy expression (and a <code class="elt">wsp:Policy</code> child) is retained in the normal form, but in the normal form, each nested policy expression contains at most one @@ -539,7 +543,7 @@ with straight vines.</p><p>For example, consider the following policy expression with nested policy expressions in a compact form:</p><div class="exampleInner"><pre>(01) <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" > + xmlns:wsp="http://www.w3.org/ns/ws-policy" > (02) <sp:TransportBinding> (03) <wsp:Policy> (04) <sp:AlgorithmSuite> @@ -568,7 +572,7 @@ indicated by one of the assertions within the algorithm suite assertion.</p><p>The example above is equivalent to the following:</p><div class="exampleInner"><pre>(01) <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" > + xmlns:wsp="http://www.w3.org/ns/ws-policy" > (02) <wsp:ExactlyOne> (03) <wsp:All> (04) <sp:TransportBinding> @@ -616,7 +620,6 @@ Policy operators (<code class="elt">wsp:Policy</code> , <code class="elt">wsp:All</code> and <code class="elt">wsp:ExactlyOne</code> ) are used to group <a title="policy assertion" href="#policy_assertion">policy assertions</a> into <a title="policy alternative" href="#policy_alternative">policy alternatives</a>. - In some instances, complex policies expressed in normal form can get relatively large and hard to manage. To compactly express complex policies, policy operators <span class="rfc2119">MAY</span> be recursively nested; that is, one or more instances of <code class="elt">wsp:Policy</code> , <code class="elt">wsp:All</code> , and/or @@ -680,7 +683,7 @@ (06) <wsp:ExactlyOne /> (07) </wsp:All></pre></div><p>is equivalent to:</p><div class="exampleInner"><pre>(01) <wsp:ExactlyOne /></pre></div><p>For example, given the following compact policy expression:</p><div class="exampleInner"><pre>(01) <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" > + xmlns:wsp="http://www.w3.org/ns/ws-policy" > (02) <sp:RequireDerivedKeys wsp:Optional="true" /> (03) <wsp:ExactlyOne> (04) <sp:WssUsernameToken10 /> @@ -691,7 +694,7 @@ <code class="elt">wsp:ExactlyOne</code> per Section <a href="#Policy_Operators"><b>4.3.3 Policy Operators</b></a> for the assertions in Lines (04-05) yields:</p><div class="exampleInner"><pre>(01) <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" > + xmlns:wsp="http://www.w3.org/ns/ws-policy" > (02) <wsp:ExactlyOne> (03) <wsp:All> <!-- @wsp:Optional alternative with assertion --> (04) <sp:RequireDerivedKeys /> @@ -708,7 +711,7 @@ (15) </wsp:ExactlyOne> (16) </wsp:Policy></pre></div><p>Note that the assertion listed in Line (02) in the first listing expands into the two alternatives in Lines (03-06) in the second listing.</p><p>Finally, noting that <code class="elt">wsp:Policy</code> is equivalent to <code class="elt">wsp:All</code> , and distributing <code class="elt">wsp:All</code> over <code class="elt">wsp:ExactlyOne</code> yields the following normal form policy expression:</p><div class="exampleInner"><pre>(01) <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" > + xmlns:wsp="http://www.w3.org/ns/ws-policy" > (02) <wsp:ExactlyOne> (03) <wsp:All> (04) <sp:RequireDerivedKeys /> @@ -739,8 +742,8 @@ After retrieval, there is no requirement to check that the retrieved policy expression is associated (Section <a href="#Policy_Identification"><b>4.2 Policy Identification</b></a>) with this IRI. The IRI included in the retrieved policy expression, if any, <span class="rfc2119">MAY</span> be -different than the IRI used to retrieve the policy expression. </p></dd><dt class="label"><code class="attr">/wsp:PolicyReference/@Digest</code> </dt><dd><p>This attribute is of type <code class="attr">xs:boolean</code> and specifies the digest of the referenced policy expression. This is used to ensure the included policy is the expected policy. - If omitted, there is no implied value.</p></dd><dt class="label"><code class="attr">/wsp:PolicyReference/@DigestAlgorithm</code> </dt><dd><p>This optional URI attribute specifies the digest algorithms being used. This specification predefines the default algorithm below, although additional algorithms can be expressed. </p></dd></dl><table cellspacing="0" cellpadding="5" border="1"><thead><tr><th rowspan="1" colspan="1">URI</th><th rowspan="1" colspan="1">Description</th></tr></thead><tbody><tr><td rowspan="1" colspan="1"><code>http://www.w3.org/@@@@/@@/ws-policy/Sha1Exc</code> (implied)</td><td rowspan="1" colspan="1">The digest is a SHA1 hash over the octet stream resulting from using the Exclusive XML canonicalization defined for XML Signature [<cite><a href="#XML-Signature">XML-Signature</a></cite>].</td></tr></tbody></table><br><dl><dt class="label"><code class="attr">/wsp:PolicyReference/@{any}</code> </dt><dd><p>Additional attributes <span class="rfc2119">MAY</span> be specified but +different than the IRI used to retrieve the policy expression. </p></dd><dt class="label"><code class="attr">/wsp:PolicyReference/@Digest</code> </dt><dd><p>This attribute is of type <code class="attr">xs:base64Binary</code> and specifies the digest of the referenced policy expression. This is used to ensure the included policy is the expected policy. + If omitted, there is no implied value.</p></dd><dt class="label"><code class="attr">/wsp:PolicyReference/@DigestAlgorithm</code> </dt><dd><p>This optional URI attribute specifies the digest algorithms being used. This specification predefines the default algorithm below, although additional algorithms can be expressed. </p></dd></dl><table cellspacing="0" cellpadding="5" border="1"><thead><tr><th rowspan="1" colspan="1">URI</th><th rowspan="1" colspan="1">Description</th></tr></thead><tbody><tr><td rowspan="1" colspan="1"><code>http://www.w3.org/ns/ws-policy/Sha1Exc</code> (implied)</td><td rowspan="1" colspan="1">The digest is a SHA1 hash over the octet stream resulting from using the Exclusive XML canonicalization defined for XML Signature [<cite><a href="#XML-Signature">XML-Signature</a></cite>].</td></tr></tbody></table><br><dl><dt class="label"><code class="attr">/wsp:PolicyReference/@{any}</code> </dt><dd><p>Additional attributes <span class="rfc2119">MAY</span> be specified but <span class="rfc2119">MUST NOT</span> contradict the semantics of the <strong>[owner element]</strong>; if an attribute is not recognized, it @@ -751,7 +754,7 @@ <span class="rfc2119">SHOULD</span> be ignored.</p></dd></dl></div><div class="div3"> <h4><a name="Policy_Inclusion"></a>4.3.5 Policy Inclusion</h4><p>In order to share <a title="policy assertion" href="#policy_assertion">assertions</a> across <a title="policy expression" href="#policy_expression">policy expressions</a>, the <code class="elt">wsp:PolicyReference</code> element <span class="rfc2119">MAY</span> be present anywhere a policy assertion is allowed inside a policy expression. This element is used to include the content of one policy expression in another policy expression.</p><p>When a <code class="elt">wsp:PolicyReference</code> element references a <code class="elt">wsp:Policy</code> element, then the semantics of inclusion are simply to replace the <code class="elt">wsp:PolicyReference</code> element with a <code class="elt">wsp:All</code> element whose <strong>[children]</strong> property is the same as the <strong>[children]</strong> property of the referenced <code class="elt">wsp:Policy</code> element. That is, the contents of the referenced policy conceptually replac the <code class="elt">wsp:PolicyReference</code> element and are wrapped in a <code class="elt">wsp:All</code> operator. Using the <code class="elt">wsp:PolicyReference</code> element, a policy expression <span class="rfc2119">MUST NOT</span> reference itself either directly or indirectly. (Note: References that have a <code class="attr">@Digest</code> attribute <span class="rfc2119">SHOULD</span> be validated before being included.)</p><p>In the example below two policies include and extend a common policy. In the first example there is a single policy document containing two policy assertions. The expression is given an identifier but not a fully qualified location. The second and third expressions reference the first expression by URI indicating the referenced expression is within the document. </p><div class="exampleInner"><pre>(01) <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" + xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Protection" > (02) <sp:EncryptSignature wsp:Optional="true" /> @@ -759,13 +762,13 @@ (04) </wsp:Policy> </pre></div><div class="exampleInner"><pre>(01) <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" > + xmlns:wsp="http://www.w3.org/ns/ws-policy" > (02) <wsp:PolicyReference URI="#Protection" /> (03) <sp:OnlySignEntireHeadersAndBody /> (04) </wsp:Policy> </pre></div><div class="exampleInner"><pre>(01) <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" > + xmlns:wsp="http://www.w3.org/ns/ws-policy" > (02) <sp:IncludeTimestamp /> (03) <wsp:PolicyReference URI="#Protection" /> (04) <sp:OnlySignEntireHeadersAndBody /> @@ -803,7 +806,7 @@ assertion in A.</p></li></ul></p><p>If two alternatives are compatible, their intersection is an alternative containing all of the assertions in both alternatives.</p></li><li><p>Two <a title="policy" href="#policy">policies</a> are compatible if an alternative in one is compatible with an alternative in the other. If two policies are compatible, their intersection is the set of the intersections between all pairs of compatible alternatives, choosing one alternative from each policy. If two policies are not compatible, their intersection has no policy alternatives.</p></li></ul><p>As an example of intersection, consider two input policies in normal form:</p><div class="exampleInner"><pre>(01) <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" > + xmlns:wsp="http://www.w3.org/ns/ws-policy" > <!-- Policy P1 --> (02) <wsp:ExactlyOne> (03) <wsp:All> <!-- Alternative A1 --> @@ -827,7 +830,7 @@ (20) </wsp:ExactlyOne> (21) </wsp:Policy></pre></div><p>The listing above contains two policy alternatives. The first alternative, (Lines 03-10) contains two policy assertions. One indicates which elements should be signed (Lines 04-06); its type is <code class="elt">sp:SignedElements</code> (Line 04), and its parameters include an XPath expression for the content to be signed (Line 05). The other assertion (Lines 07-09) has a similar structure: type (Line 07) and parameters (Line 08).</p><p>The second alternative (Lines 11-19) also contains two assertions, each with type (Line 12 and Line 16) and parameters (Lines 13-14 and Line 17).</p><p>As this example illustrates, compatibility between two policy assertions is based on assertion type and delegates parameter processing to domain-specific processing.</p><div class="exampleInner"><pre>(01) <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" > + xmlns:wsp="http://www.w3.org/ns/ws-policy" > <!-- Policy P2 --> (02) <wsp:ExactlyOne> (03) <wsp:All> <!-- Alternative A3 --> @@ -844,7 +847,7 @@ (14) </wsp:ExactlyOne> (15) </wsp:Policy></pre></div><p>Because there is only one alternative (A2) in policy P1 with the same vocabulary — the assertions have the same type — as another alternative (A3) in policy P2, the intersection is a policy with a single alternative that contains all of the assertions in A2 and in A3.</p><div class="exampleInner"><pre>(01) <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" - xmlns:wsp="http://www.w3.org/@@@@/@@/ws-policy" > + xmlns:wsp="http://www.w3.org/ns/ws-policy" > <!-- Intersection of P1 and P2 --> (02) <wsp:ExactlyOne> (03) <wsp:All> @@ -923,31 +926,31 @@ is similar to the well-known DTD entity expansion attack). Policy implementers need to anticipate these rogue providers and use a configurable bound with defaults on number of policy alternatives, number of assertions in an alternative, depth of nested policy - expressions, etc.</p><div class="exampleOuter"><p style="text-align: left" class="exampleHead"><a name="ex-chained-policy-reference-elements"></a><i><span>Example 5-1. </span>Chained Policy Reference Elements</i></p><div class="exampleInner"><pre>(01) <Policy wsu:Id="p1"> -(02) <PolicyReference URI="#p2"/ > -(03) <PolicyReference URI="#p2"/> -(04) </Policy> + expressions, etc.</p><div class="exampleOuter"><p style="text-align: left" class="exampleHead"><a name="ex-chained-policy-reference-elements"></a><i><span>Example 5-1. </span>Chained Policy Reference Elements</i></p><div class="exampleInner"><pre>(01) <wsp:Policy wsu:Id="p1"> +(02) <wsp:PolicyReference URI="#p2"/ > +(03) <wsp:PolicyReference URI="#p2"/> +(04) </wsp:Policy> (05) -(06) <Policy wsu:Id="p2" > -(07) <PolicyReference URI="#p3"/> -(08) <PolicyReference URI="#p3"/> -(09) </Policy> +(06) <wsp:Policy wsu:Id="p2" > +(07) <wsp:PolicyReference URI="#p3"/> +(08) <wsp:PolicyReference URI="#p3"/> +(09) </wsp:Policy> (10) -(11) <Policy wsu:Id="p3" > -(12) <PolicyReference URI="#p4"/> -(13) <PolicyReference URI="#p4"/> -(14) </Policy> +(11) <wsp:Policy wsu:Id="p3" > +(12) <wsp:PolicyReference URI="#p4"/> +(13) <wsp:PolicyReference URI="#p4"/> +(14) </wsp:Policy> (15) (16) <!-- Policy/@wsu:Id p4 through p99 --> (17) -(18) <Policy wsu:Id="p100" > -(19) <PolicyReference URI="#p101"/> -(20) <PolicyReference URI="#p101"/> -(21) </Policy> +(18) <wsp:Policy wsu:Id="p100" > +(19) <wsp:PolicyReference URI="#p101"/> +(20) <wsp:PolicyReference URI="#p101"/> +(21) </wsp:Policy> (22) -(23) <Policy wsu:Id="p101" > +(23) <wsp:Policy wsu:Id="p101" > (24) <mtom:OptimizedMimeSerialization /> -(25) </Policy></pre></div></div><p>Malicious providers may provide a policy expression that includes multiple +(25) </wsp:Policy></pre></div></div><p>Malicious providers may provide a policy expression that includes multiple PolicyReference elements that use a large number of different internet addresses. These may require the consumers to establish a large number of TCP connections. Policy implementers need to anticipate such rogue providers and use a configurable bound with @@ -955,7 +958,7 @@ <h3><a name="general-xml-considerations"></a>5.6 General XML Considerations</h3><p>Implementers of Web Services policy language should be careful to protect their software against general XML threats like deeply nested XML or XML that contains malicious content.</p></div></div><div class="div1"> -<h2><a name="Conformance"></a>6. Conformance</h2><p>An element information item whose namespace name is "http://www.w3.org/@@@@/@@/ws-policy" and whose local part is Policy or PolicyReference conforms to this specification if it is valid according to the XML Schema [<cite><a href="#XMLSchemaPart1">XML Schema Structures</a></cite>] for that element as defined by this specification (<a href="http://www.w3.org/@@@@/@@/ws-policy.xsd">http://www.w3.org/@@@@/@@/ws-policy.xsd</a>) and additionally adheres to all the constraints contained in this specification. Such a conformant element information item constitutes a <a title="policy expression" href="#policy_expression">policy expression</a>. +<h2><a name="Conformance"></a>6. Conformance</h2><p>An element information item whose namespace name is "http://www.w3.org/ns/ws-policy" and whose local part is Policy or PolicyReference conforms to this specification if it is valid according to the XML Schema [<cite><a href="#XMLSchemaPart1">XML Schema Structures</a></cite>] for that element as defined by this specification (<a href="http://www.w3.org/ns/ws-policy.xsd">http://www.w3.org/ns/ws-policy.xsd</a>) and additionally adheres to all the constraints contained in this specification. Such a conformant element information item constitutes a <a title="policy expression" href="#policy_expression">policy expression</a>. </p></div></div><div class="back"><div class="div1"> <h2><a name="media-type"></a>A. The application/wspolicy+xml Media Type</h2><p>This appendix defines the "application/wspolicy+xml" media type which can be used to describe Web Services Policy documents @@ -1368,4 +1371,14 @@ </td></tr><tr><td rowspan="1" colspan="1">20070116</td><td rowspan="1" colspan="1">DBO</td><td rowspan="1" colspan="1">Completed action item: <a href="http://www.w3.org/2005/06/tracker/wspolicyeds/actions/123">123</a> and <a href="http://www.w3.org/2005/06/tracker/wspolicyeds/actions/115">115 </a> - Resolution for issue <a href="http://www.w3.org/Bugs/Public/show_bug.cgi?id=4210">4210</a></td></tr></tbody></table><br></div></div></body></html> \ No newline at end of file + Resolution for issue <a href="http://www.w3.org/Bugs/Public/show_bug.cgi?id=4210">4210</a></td></tr><tr><td rowspan="1" colspan="1">20070121</td><td rowspan="1" colspan="1">MH</td><td rowspan="1" colspan="1">Completed action item: + <a href="http://www.w3.org/2005/06/tracker/wspolicyeds/actions/129">129</a> + Resolution for namespace dereferencing issue <a href="http://www.w3.org/Bugs/Public/show_bug.cgi?id=4204">4204</a></td></tr><tr><td rowspan="1" colspan="1">20070121</td><td rowspan="1" colspan="1">MH</td><td rowspan="1" colspan="1">Completed action item: + <a href="http://www.w3.org/2005/06/tracker/wspolicyeds/actions/130">130</a> + Resolution for editorial issues <a href="http://www.w3.org/Bugs/Public/show_bug.cgi?id=4205">4205</a></td></tr><tr><td rowspan="1" colspan="1">20070121</td><td rowspan="1" colspan="1">MH</td><td rowspan="1" colspan="1">Completed action item: + <a href="http://www.w3.org/2005/06/tracker/wspolicyeds/actions/132">132</a> + Resolution for changing format of example and removing text. <a href="http://www.w3.org/Bugs/Public/show_bug.cgi?id=4224">4224</a></td></tr><tr><td rowspan="1" colspan="1">20070122</td><td rowspan="1" colspan="1">MH</td><td rowspan="1" colspan="1">Completed action item: + <a href="http://www.w3.org/2005/06/tracker/wspolicyeds/actions/133">133</a> + Resolution for editorial items. <a href="http://www.w3.org/Bugs/Public/show_bug.cgi?id=4225">4225</a></td></tr><tr><td rowspan="1" colspan="1">20070122</td><td rowspan="1" colspan="1">PY</td><td rowspan="1" colspan="1">Completed action item: + <a href="http://www.w3.org/2005/06/tracker/wspolicyeds/actions/117">117</a> + Resolution for issue <a href="http://www.w3.org/Bugs/Public/show_bug.cgi?id=4141">4141</a></td></tr></tbody></table><br></div></div></body></html> \ No newline at end of file
Received on Monday, 22 January 2007 18:21:41 UTC