RE: WS-Policy reference indirection

At 05:06 PM 2006-09-22, Daniel Roth wrote:
>Hi Paul,
>
> > What if [P1] and [P2] conflict?
>
>Then someone is in effect "lying" about the policy for that 
>endpoint.  It is the responsibility of the policy provider to make 
>sure that the policies are consistent.

Thanks for your reply.
Right it is the responsibility of the policy provider, so to make 
his/her job easier, it would be nice to update one rather than two links.


> > Perhaps an approach that would work is for the WSDL policy reference
> > to point to a UDDI tModel, then the UDDI tModel points to the actual
> > policy document, say [P1].
>
>Policy references point to policies, not tModels.

Which is the point of this issue.  Another level of indirection 
should be allowed by the spec.

>You can have your WSDL and your tModel both point to the same policy.

And if I want to change the policy, and the new policy has a new URI, 
I would need to update links in both WSDL and the tModel.
If my WSDL always points to my tModel, then I can change one link (in 
the tModel) to point to the new policy.

>However, this won't have the effect that I think you are implying.
>
>Section 3.1 of the Policy Attachment spec states that you should 
>merge multiple policies attached to the same policy subject using 
>different attachment mechanisms [1].  The merge operation is 
>actually a cross product of the policy alternatives, and P1 x P1 != 
>P1.  When attaching multiple policies to the same subject, these 
>policies should be orthogonal to each other to make sure that the 
>merge results are reasonable.

If I make a mistake when updating the two pointers (WSDL, tModel), 
they would point to different policies, and the cross product would 
not be the intended policy.  To avoid this, its better to update one 
rather than two links.

Perhaps another issue is lurking here:
[1] states "Such calculated Policy Expressions have no meaningful URI 
of their own. "
Section 6, security considerations, perhaps should say something 
about this lack of a meaningful URI for the effective policy, so that 
audit logs can note when the policy is based on a merge operation of 
multiple individual policy expressions.  If something goes wrong 
because the effective policy after the merge is not as expected, you 
want your audit logs to help you find the source of the problem.

Paul


>I hope this helps.
>
>Daniel Roth
>
>[1] http://www.w3.org/Submission/WS-PolicyAttachment/#EffectivePolicy
>NOTE: This is a link to the submitted draft.  In the editors draft 
>it looks like the terminology work has cut off some of the text for 
>paragraph 2 in section 3.1.
>
>-----Original Message-----
>From: public-ws-policy-request@w3.org 
>[mailto:public-ws-policy-request@w3.org] On Behalf Of Paul Denning
>Sent: Wednesday, August 23, 2006 8:49 AM
>To: public-ws-policy@w3.org
>Subject: WS-Policy reference indirection
>
>
>Lets say my policy subject is an endpoint [e].
>
>Lets assume two different policy files exist, [P1] and [P2].
>
>I may have a WSDL file for endpoint [e] with an attached policy [1]
>that references [P1].
>
>I may also have a UDDI entry for [e] with an attached policy [2] that
>references [P2].
>
>So, both [P1] and [P2] are associated with [e].
>
>What if [P1] and [P2] conflict?
>
>For example,
>[P1] = endpoint available only Mon-Fri
>[P2] = endpoint available only on Sat and Sun
>
>[1]  http://www.w3.org/Submission/WS-PolicyAttachment/#EndpointPolicySubject
>[2]
>http://www.w3.org/Submission/WS-PolicyAttachment/#EndpointPolicySubjectUDDI
>[3]
>http://www.w3.org/Submission/2006/SUBM-WS-Policy-20060425/#Policy_Inclusion
>
>It would be nice to avoid this situation.
>
>Perhaps an approach that would work is for the WSDL policy reference
>to point to a UDDI tModel, then the UDDI tModel points to the actual
>policy document, say [P1].
>
>However, I don't think [3] allows this extra layer of indirection
>where WSDL points to UDDI which points to Policy.  I think [3] only
>allows WSDL to point to Policy.
>
>Is my reading correct?
>
>Do you agree that the specs should support this extra layer of
>indirection to avoid potential policy conflicts and reduce the burden
>of synchronizing the WSDL and UDDI policy references?
>
>Paul

Received on Friday, 22 September 2006 21:53:41 UTC