W3C home > Mailing lists > Public > public-ws-policy@w3.org > July 2006


From: Ashok Malhotra <ashok.malhotra@oracle.com>
Date: Tue, 18 Jul 2006 05:20:03 -0700
To: "public-ws-policy@w3.org" <public-ws-policy@w3.org>
Message-ID: <20060718052003374.00000002312@amalhotr-pc>

I've written this action as a new issue.

Title: Nested policy as a qualifying mechanism on an assertion is too general.  

Description:  WS-Policy allows a nested/embedded policy to be used to qualify an assertion.
This is too general, as anything can appear within a policy element including assertions that
have nothing to do with the parent assertion.

Note that WS-SecurityPolicy seems to recognize this and includes a note:
"Assertions from one domain SHOULD NOT be nested inside assertions from another domain. For example, assertions from a transaction domain should not be nested inside an assertion from a security domain. "  There is, however no definition of "domain" that I could find.
Further, the "Schemas" included in WS-SecurityPolicy specify which assertions can appear within the embedded policy.  But this does not work as the contents of the <wsp:Policy> element cannot change depending on the context in which it appears.
If the authors of WS-SecurityPolicy go to the trouble of specifying which assertions can appear within the embedded policy, why don't they simply specify these assertions as possible children of the parent assertion.

Target:  WS-Policy Framework

Proposal:  Instead of nested policies, allow assertions to be qualified by defining possible child elements for them.

All the best, Ashok
Received on Tuesday, 18 July 2006 12:20:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:33:12 UTC