RE: NEW ISSUE: HTTP/HTTPS conflict resolution between policy assertion and WSDL from Christopher B Ferris on 2006-07-18 (public-ws-policy@w3.org from July 2006)

From: Christopher B Ferris <chrisfer@us.ibm.com>
Date: Tue, 18 Jul 2006 10:56:12 -0400
To: "Sverdlov, Yakov" <Yakov.Sverdlov@ca.com>
Cc: public-ws-policy@w3.org, public-ws-policy-request@w3.org, "Toufic Boubez" <tboubez@layer7tech.com>
Message-ID: <OFF8662DD0.53D84847-ON852571AF.0051CD37-852571AF.00520A07@us.ibm.com>

I agree that this is out of scope. There are plenty of work-arounds for 
situations such as that cited
(e.g. use HTTP redirect to the secure URI).

IMO, this is a profiling issue, not something that the spec need be 
concerned with. 

Cheers,

Christopher Ferris
STSM, Software Group Standards Strategy
email: chrisfer@us.ibm.com
blog: http://www.ibm.com/developerworks/blogs/dw_blog.jspa?blog=440
phone: +1 508 377 9295

public-ws-policy-request@w3.org wrote on 07/18/2006 10:46:49 AM:

> I agree that the policy assertion takes precedence. My understanding
> is that the same ?canned? policy, which requires HTTPS, may 
> potentially be attached to different WSDLs at the management stage, 
> and if WSDL port for a particular WS uses HTTP, the policy will be 
> appropriately enforced at runtime i.e. rejecting the request.
> 
> I think this is a legitimate conflict, and it has to do with the 
> policy management and enforcement which is out of scope. May be the 
> Attachment Primer should provide some guidance in regard to possible
> policy attachment outcomes during the enforcement phase for two 
> categories ?conflict? and ?ambiguity?: 
> 
> 1. Conflict between the policy assertion and WSDL (not limited to 
> the transport)
> 2. Ambiguity as described by Ashok for the MQ transport scenario, 
> which the Primer should recommend to avoid
> 
> Regards,
> Yakov Sverdlov
> CA
> 
> 
> 
> From: public-ws-policy-request@w3.org [mailto:public-ws-policy-
> request@w3.org] On Behalf Of Toufic Boubez
> Sent: Tuesday, July 18, 2006 10:27 AM
> To: Toufic Boubez; public-ws-policy@w3.org
> Subject: RE: NEW ISSUE: HTTP/HTTPS conflict resolution between 
> policy assertion and WSDL
> 
> More information:
> 
> Justification - This issue was raised by the WS-Policy interop in 
> April 2006 in Germany.
> 
> Reference - http://www.w3.org/2006/07/13-ws-policy-minutes.html#action32
> 
> Toufic Boubez, Ph.D.
> Chief Technology Officer
> 
> LAYER 7 TECHNOLOGIES / Advancing the application network.
> 604.681.9377 x310 (w)   604.288.7970 (m)
> tboubez@layer7tech.com (e)  www.layer7tech.com (w)
> 
> 
> From: public-ws-policy-request@w3.org on behalf of Toufic Boubez
> Sent: Mon 7/17/2006 10:02 PM
> To: public-ws-policy@w3.org
> Subject: NEW ISSUE: HTTP/HTTPS conflict resolution between policy 
> assertion and WSDL
> Title - HTTP/HTTPS conflict resolution between policy assertion and WSDL
> 
> Description - If the security policy assertion requires the use of 
> HTTPS transport level security and WSDL port address uses HTTP 
> scheme, what is the best practice guidance for requestors?
> 
> Target - WS-Policy Attachment 1.5? Primer?
> 
> Proposal - Not sure if I have an absolute proposal, but I'll get the
> ball rolling: I propose that if there is a conflict, that since 
> presumably the policy authors are a better authority as to what 
> policies should exist for a service, whereas the WSDL might have 
> been automatically generated by a tool or a developer, the policy 
> assertion takes precedence.
> 
> Toufic Boubez, Ph.D.
> Chief Technology Officer
> 
> LAYER 7 TECHNOLOGIES / Advancing the application network.
> 604.681.9377 x310 (w)   604.288.7970 (m)
> tboubez@layer7tech.com (e)  www.layer7tech.com (w)

Received on Tuesday, 18 July 2006 14:56:27 UTC