RE: NEW ISSUE: HTTP/HTTPS conflict resolution between policy assertion and WSDL from Maryann Hondo on 2006-07-26 (public-ws-policy@w3.org from July 2006)

From: Maryann Hondo <mhondo@us.ibm.com>
Date: Wed, 26 Jul 2006 05:11:21 -0400
To: "Yalcinalp, Umit" <umit.yalcinalp@sap.com>
Cc: Christopher B Ferris <chrisfer@us.ibm.com>, public-ws-policy@w3.org, public-ws-policy-request@w3.org, "Toufic Boubez" <tboubez@layer7tech.com>, "Sverdlov, Yakov" <Yakov.Sverdlov@ca.com>
Message-ID: <OF27523615.647CB817-ON872571B5.005C81DF-852571B7.00327A50@us.ibm.com>

All,

I agree with Toufic that for the specific WSDL binding case with 
HTTP/HTTPS in WS-Policy attachment, we can state that policy
takes precedence over the WSDL. 

 But  I also agree with Umit, that  this is also an area where the primer 
can offer guidance.

Policy authors ( like RM) have to do the domain decomposition. In the case 
of RM, 
maybe the authors did not take into account transport agnostic, and 
transport specific capabilities.

I believe the security domain did attempt to address this. So the primer 
can provdide guidance and
examples of how domain authors can chose to express the capabilities of 
their particular domain.

And if there are new models for attachment ( beyond WSDL) then the 
precedence can be stated normatively in the 
WS-PolicyAttachment document.

Maryann 



"Yalcinalp, Umit" <umit.yalcinalp@sap.com> 
Sent by: public-ws-policy-request@w3.org
07/19/2006 08:57 PM

To
Christopher B Ferris/Waltham/IBM@IBMUS, "Sverdlov, Yakov" 
<Yakov.Sverdlov@ca.com>
cc
<public-ws-policy@w3.org>, <public-ws-policy-request@w3.org>, "Toufic 
Boubez" <tboubez@layer7tech.com>
Subject
RE: NEW ISSUE: HTTP/HTTPS conflict resolution between policy assertion and 
 WSDL






Hi Chris, 
 
I am not sure which "spec" you are referring to. If I am following this 
thread correctly, the intent here is to provide some guidelines to deal 
with this situation and if we decide to deal with it in a non-normative 
manner, I see this as a potential item to be included into the primer. I 
see no harm pointing out the pitfalls to users. 
 
Thanks, 
 
--umit
 

From: public-ws-policy-request@w3.org 
[mailto:public-ws-policy-request@w3.org] On Behalf Of Christopher B Ferris
Sent: Tuesday, Jul 18, 2006 7:56 AM
To: Sverdlov, Yakov
Cc: public-ws-policy@w3.org; public-ws-policy-request@w3.org; Toufic 
Boubez
Subject: RE: NEW ISSUE: HTTP/HTTPS conflict resolution between policy 
assertion and WSDL


I agree that this is out of scope. There are plenty of work-arounds for 
situations such as that cited 
(e.g. use HTTP redirect to the secure URI). 

IMO, this is a profiling issue, not something that the spec need be 
concerned with. 

Cheers, 

Christopher Ferris
STSM, Software Group Standards Strategy
email: chrisfer@us.ibm.com
blog: http://www.ibm.com/developerworks/blogs/dw_blog.jspa?blog=440
phone: +1 508 377 9295 

public-ws-policy-request@w3.org wrote on 07/18/2006 10:46:49 AM:

> I agree that the policy assertion takes precedence. My understanding
> is that the same ?canned? policy, which requires HTTPS, may 
> potentially be attached to different WSDLs at the management stage, 
> and if WSDL port for a particular WS uses HTTP, the policy will be 
> appropriately enforced at runtime i.e. rejecting the request. 
>   
> I think this is a legitimate conflict, and it has to do with the 
> policy management and enforcement which is out of scope. May be the 
> Attachment Primer should provide some guidance in regard to possible
> policy attachment outcomes during the enforcement phase for two 
> categories ?conflict? and ?ambiguity?: 
>   
> 1. Conflict between the policy assertion and WSDL (not limited to 
> the transport) 
> 2. Ambiguity as described by Ashok for the MQ transport scenario, 
> which the Primer should recommend to avoid 
>   
> Regards, 
> Yakov Sverdlov 
> CA 
>   
>   
> 
> From: public-ws-policy-request@w3.org [mailto:public-ws-policy-
> request@w3.org] On Behalf Of Toufic Boubez
> Sent: Tuesday, July 18, 2006 10:27 AM
> To: Toufic Boubez; public-ws-policy@w3.org
> Subject: RE: NEW ISSUE: HTTP/HTTPS conflict resolution between 
> policy assertion and WSDL 
>   
> More information: 
>   
> Justification - This issue was raised by the WS-Policy interop in 
> April 2006 in Germany. 
>   
> Reference - http://www.w3.org/2006/07/13-ws-policy-minutes.html#action32 

>   
> Toufic Boubez, Ph.D.
> Chief Technology Officer
> 
> LAYER 7 TECHNOLOGIES / Advancing the application network.
> 604.681.9377 x310 (w)   604.288.7970 (m) 
> tboubez@layer7tech.com (e)  www.layer7tech.com (w) 
>   
> 
> From: public-ws-policy-request@w3.org on behalf of Toufic Boubez
> Sent: Mon 7/17/2006 10:02 PM
> To: public-ws-policy@w3.org
> Subject: NEW ISSUE: HTTP/HTTPS conflict resolution between policy 
> assertion and WSDL 
> Title - HTTP/HTTPS conflict resolution between policy assertion and WSDL 

>   
> Description - If the security policy assertion requires the use of 
> HTTPS transport level security and WSDL port address uses HTTP 
> scheme, what is the best practice guidance for requestors? 
>   
> Target - WS-Policy Attachment 1.5? Primer? 
>   
> Proposal - Not sure if I have an absolute proposal, but I'll get the
> ball rolling: I propose that if there is a conflict, that since 
> presumably the policy authors are a better authority as to what 
> policies should exist for a service, whereas the WSDL might have 
> been automatically generated by a tool or a developer, the policy 
> assertion takes precedence. 
>   
> Toufic Boubez, Ph.D.
> Chief Technology Officer
> 
> LAYER 7 TECHNOLOGIES / Advancing the application network.
> 604.681.9377 x310 (w)   604.288.7970 (m) 
> tboubez@layer7tech.com (e)  www.layer7tech.com (w)

Received on Wednesday, 26 July 2006 09:11:36 UTC