- From: Frederick Hirsch <frederick.hirsch@nokia.com>
- Date: Wed, 9 May 2007 10:31:35 -0400
- To: ext Bob Freund <bob@freunds.com>
- Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, "Sergey Beryozkin" <sergey.beryozkin@iona.com>, "Daniel Roth" <Daniel.Roth@microsoft.com>, "Ashok Malhotra" <ashok.malhotra@oracle.com>, "Maryann Hondo" <mhondo@us.ibm.com>, "Anthony Nadalin" <drsecure@us.ibm.com>, <public-ws-addressing@w3.org>, <public-ws-policy@w3.org>
+1, what you see is what you know based on definition of assertions. regards, Frederick Frederick Hirsch Nokia On May 9, 2007, at 9:15 AM, ext Bob Freund wrote: > The WS-Policy Spec simply defines a way to express and compare > (intersect, gosh I dislike that term) sets of metadata. It may > imply a bunch of other stuff, but I think that to the extent that > it does it oversteps. > > It is mandatory that the adjunct specs which define assertions for > a particular protocol define which behaviors are intended in > conjunction with the underlying protocol spec. > > I might have preferred that WS-Policy define a wildcard policy > expression for readability, but it doesn’t matter that much IMO > since an empty policy is a policy none the less and optional=”true” > reduces the verbosity somewhat. > > How does one express “default” behavior? Well, one way is to > define an assertion that connotes default, another is to express > nothing which might also connote default behavior. > > I really feel that it needs be up to the protocol writers to define > what that default behavior is and it cannot be subject to absence = > negation rules. I think that if nothing is expressed, nothing is > expressed and nothing more. > > To the absence equals negation faction, the absence of the default > assertion, should it be defined, means what? > > Must there be an empty compatible policy for default behavior to be > exhibited? > > I think not, since just because policy exists, it will be tough to > require policy at least foe awhile. Protocol authors and > implementers will find it necessary to work with clients or servers > that might be policy naive. We still are forced to define a fault > mechanism and not only for this. > > The less that WS-Policy says about behavior, the better. Let it do > the simple and needed job of defining what a policy looks like and > how they might be compared in an optional application independent > manner. > > > > -bob > > > > From: public-ws-addressing-request@w3.org [mailto:public-ws- > addressing-request@w3.org] On Behalf Of Sergey Beryozkin > Sent: Wednesday, May 09, 2007 4:40 AM > To: 'Daniel Roth'; Bob Freund; 'Ashok Malhotra'; 'Maryann Hondo'; > 'Anthony Nadalin' > Cc: public-ws-addressing@w3.org; public-ws-policy@w3.org > Subject: RE: Are nested assertions part of the policy vocabulary? > > > > Hi Dan > > > > “In some cases a single message may specify both an anonymous > ReplyTo EPR and a non-anonymous FaultsTo EPR. To satisfy this > scenario you need to have some way of saying that addressing is > fully supported without qualifications”. > > > > This is the point I’ve missed. It’s the fact that a *single* > message may specify both types which makes an empty <Policy> > expression a useful alternative. > > IMHO, highlighting it in the wsa-addressing policy profile would > help. Otherwise it’s very tempting to use an empty <Policy> > expression alone to meet different client’s > > requirements for a more qualified support… > > > > Thanks for the explanation > > Sergey > > > > > > > > From: Daniel Roth [mailto:Daniel.Roth@microsoft.com] > Sent: 08 May 2007 21:26 > To: Sergey Beryozkin; Bob Freund; Ashok Malhotra; Maryann Hondo; > Anthony Nadalin > Cc: public-ws-addressing@w3.org; public-ws-policy@w3.org > Subject: RE: Are nested assertions part of the policy vocabulary? > > > > Hi Sergey, > > > > > According to [1] If the provider uses <Policy/> then it means > this provider will work with consumers using either anonymous or > non-anonymous WSA qualifications. > > > And yet, the requester saying, by using <ws- > addressing><Policy><AnonymousResponses/></Policy></ws-addressing>, > that it wishes a provider to support > > > <AnonymousResponses/> will fail to intersect with the provider > using <Policy/> which says that all types of responses are supported > > > > A client that requires a service that supports anonymous responses > will work with a service that supports all of addressing or just > anonymous responses. This means, the client should reflect that by > including both alternatives in its policy. The client policy with > both alternatives intersects with the service policy and is > specifically recommended in section 3.6.1 of the WS-Addressing > Metadata spec. > > > > > I'd even say that the empty nested ws-adressing <Policy> should > be prohibited > > > > In some cases a single message may specify both an anonymous > ReplyTo EPR and a non-anonymous FaultsTo EPR. To satisfy this > scenario you need to have some way of saying that addressing is > fully supported without qualifications. > > > > I hope this helps. > > > > Daniel Roth > > > > > > From: Sergey Beryozkin [mailto:sergey.beryozkin@iona.com] > Sent: Tuesday, May 08, 2007 2:25 AM > To: Bob Freund; Daniel Roth; Ashok Malhotra; Maryann Hondo; Anthony > Nadalin > Cc: public-ws-addressing@w3.org; public-ws-addressing- > request@w3.org; public-ws-policy@w3.org; public-ws-policy- > request@w3.org > Subject: Re: Are nested assertions part of the policy vocabulary? > > > > Hi > > > > What confuses me is that it appears to be some inconsistency in the > definition of what the empty nested Policy means in the scope of ws- > addressing (see [1]), <ws-addressing><Policy/></ws-addressing> and > the fact that this nested <Policy> does not intersect with a more > qualified nested Policy such as <ws- > addressing><Policy><AnonymousResponses/></Policy></ws-addressing>. > > > > According to [1] If the provider uses <Policy/> then it means this > provider will work with consumers using either anonymous or non- > anonymous WSA qualifications. And yet, the requester saying, by > using <ws-addressing><Policy><AnonymousResponses/></Policy></ws- > addressing>, that it wishes a provider to support > <AnonymousResponses/> will fail to intersect with the provider > using <Policy/> which says that all types of responses are > supported... > > > > I think what this means is using an all inclusive <Policy> > alternative alone on the server is just not safe as it will cause > compliant clients (say those wishing a provider to support > <AnonymousResponses/>) to break...I'd even say that the empty > nested ws-adressing <Policy> should be prohibited...Just have two > nested policies, one allowing anonymous responses, another one > allowing non-anonymous ones...That way a provider supporting all > types of responses can list two alternatives and it will match all > clients.... > > > > > > Thanks, Sergey > > > > [1] http://lists.w3.org/Archives/Public/public-ws-policy/2007Apr/ > att-0094/WSAddrPolicyAlgerntiveGprime.htm > > ----- Original Message ----- > > From: Bob Freund > > To: Daniel Roth ; Ashok Malhotra ; Maryann Hondo ; Anthony Nadalin > > Cc: public-ws-addressing@w3.org ; public-ws-addressing- > request@w3.org ; public-ws-policy@w3.org ; public-ws-policy- > request@w3.org > > Sent: Tuesday, May 08, 2007 12:22 AM > > Subject: RE: Are nested assertions part of the policy vocabulary? > > > > +1 > > From a plain reading of the WS-Policy intersection algorithm, these > policies indeed are not compatible per the WS-Policy 1.5 framework > CR spec. > > -bob > > > > From: public-ws-addressing-request@w3.org [mailto:public-ws- > addressing-request@w3.org] On Behalf Of Daniel Roth > Sent: Tuesday, May 01, 2007 4:52 PM > To: Ashok Malhotra; Maryann Hondo; Anthony Nadalin > Cc: public-ws-addressing@w3.org; public-ws-addressing- > request@w3.org; public-ws-policy@w3.org; public-ws-policy- > request@w3.org > Subject: RE: Are nested assertions part of the policy vocabulary? > > > > Hi Ashok, > > > > These two policies do not intersect and we believe this is verified > in the test cases. If Policy 2 is the policy for a requester then > this intersection result may at first seem incorrect, so let me > explain: > > > > It is incumbent on the Addressing authors to specify the semantics > of the assertions. The Addressing assertion expresses a > requirement that WS-Addressing be used to exchange messages without > qualifications. The nested addressing assertions (which indicate > additional characteristics of the base WS-Addressing assertion) > qualify this semantic to say that either only non-anonymous > responses are supported or that only anonymous responses are > supported. In the WS-Addressing protocol it’s the requester’s > message that requests a specific kind of response – anonymous, non- > anonymous, or maybe even a mixture of the two. > > > > The thing to recognize is that if Policy 2 is a requester policy > then it is incomplete in that it is not acknowledging that the base > assertion also reflects support for anonymous responses. The > requester determines what response type should be used. So, a > client that needs non-anonymous responses will also work with a > service that supports all of addressing. The client’s policy > should reflect that it is compatible with an endpoint that > supports all of addressing by adding a second alternative. This > can be easily done using the Optional attribute as is shown in > section 3.1.6 in the WS-Addressing Metadata spec: > > <Policy><Addressing ><Policy><AnonymousResponses > wsp:Optional=”true” > </Policy></Addressing ></Policy> > > > > Note that if Policy 2 is a provider policy and Policy 1 is the > requester policy – where the requester wants unqualified support > for addressing, but the provider only supports a specific response > type – then there is no issue. These policies should not intersect > and they don’t. > > > > We hope this helps. > > > > Daniel Roth > > > > From: public-ws-policy-request@w3.org [mailto:public-ws-policy- > request@w3.org] On Behalf Of Ashok Malhotra > Sent: Thursday, April 19, 2007 12:33 PM > To: Maryann Hondo; Anthony Nadalin > Cc: public-ws-addressing@w3.org; public-ws-addressing- > request@w3.org; public-ws-policy@w3.org; public-ws-policy- > request@w3.org > Subject: RE: Are nested assertions part of the policy vocabulary? > > > > Hi Maryann: > > Perhaps I misunderstood. Let me rephrase my comments as questions. > > > > Since Policy 1 > > <Policy> > <ws-addressing> > <Policy/> > </ws-addressing> > </Policy> > was intended to mean that ALL options ( anonymous, non-anonymous) > are supported. > > > > And Policy 2 > > <Policy> > <ws-addressing> > <Policy> > <ws-addressing: Anonymous> > </Policy> > </ws-addressing> > </Policy> > was intended to mean that ONLY anonymous was supported. > > Should Policy 1 match Policy 2 in the intersection algorithm? > > All the best, Ashok > > From: public-ws-addressing-request@w3.org [mailto:public-ws- > addressing-request@w3.org] On Behalf Of Maryann Hondo > Sent: Thursday, April 19, 2007 5:55 AM > To: Ashok Malhotra; Anthony Nadalin > Cc: Ashok Malhotra; public-ws-addressing@w3.org; public-ws- > addressing-request@w3.org; public-ws-policy@w3.org; public-ws- > policy-request@w3.org > Subject: RE: Are nested assertions part of the policy vocabulary? > > > > > Ashok, > I would like to clarify my comments. > > I was trying to say, that the WS-Addressing group seemed to be > trying to use nested assertions to indicate a "constraint". > My understanding of the semantics are the following: > <Policy> > <ws-addressing> > <Policy/> > </ws-addressing> > </Policy> > was intended to mean that ALL options ( anonymous, non-anonymous) > are supported. > > and > <Policy> > <ws-addressing> > <Policy> > <ws-addressing: Anonymous> > </Policy> > </ws-addressing> > </Policy> > was intended to mean that ONLY anonymous was supported. > > This to me, ths meant that the "intent" of the base assertion was > being "constrained" by the presence off a nested assertion > and that was ok if the working group understood the semantics they > were expressing ( i.e. the "absence" of a nested assertion > means "no constraints" or "all options are supported") > > and I thought the language of the ws-policy spec allowed this > interpretation since a nested assertion could be seen to be > qualifying the base assertion with a constraint rather than a > capability. > > Authors MAY define that an assertion contains a policy expression > (as defined in 4. Policy Expression) as one of its[children]. > Nested policy expression(s) are used by authors to further qualify > one or more specific aspects of the original assertion. > > > The spec already says the following so I don't think alternative 1 > really adds anything, unless I'm missing something, like Tony, I > need more of an explanation of what you are suggesting you want the > intersection to do: > > Because the set of behaviors indicated by a policy alternative > depends on the domain-specific semantics of the collected > assertions, determining whether two policy alternatives are > compatible generally involves domain-specific processing. > > Maryann > > Anthony Nadalin/Austin/IBM@IBMUS > Sent by: public-ws-addressing-request@w3.org > > 04/19/2007 03:41 AM > > To > > "Ashok Malhotra" <ashok.malhotra@oracle.com> > > cc > > "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>, > "public-ws-policy@w3.org" <public-ws-policy@w3.org>, public-ws- > policy-request@w3.org > > Subject > > RE: Are nested assertions part of the policy vocabulary? > > > > > > > > > > > #1 " dependent on the semantics of the parent assertion." not sure > what this would mean can you give some guidance here ? > #2 is real dangerous as you have no idea what you are matching on, > one day it could be XYZ and another day it could be ABC. > > Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122 > <image001.gif> > ">"Ashok Malhotra" <ashok.malhotra@oracle.com> > > "Ashok Malhotra" <ashok.malhotra@oracle.com> > Sent by: public-ws-policy-request@w3.org > > 04/16/2007 04:23 PM > > > > <image002.gif> > > > To > > <image002.gif> > > "public-ws-policy@w3.org" <public-ws-policy@w3.org>, "public-ws- > addressing@w3.org" <public-ws-addressing@w3.org> > > <image002.gif> > > > cc > > <image002.gif> > > <image002.gif> > > > Subject > > <image002.gif> > > RE: Are nested assertions part of the policy vocabulary? > > > > <image002.gif> > > <image002.gif> > > > > I’m at the OASIS Symposium and have had extensive discussions with > the WS-Addressing folks re. the problems they are having in using > WS-Policy to express their requirements. > > As I see it, the sticky usecase is where the provider wants to say > this it supports WS-Addressing in all its manifestations and the > requester specifies that it supports a particular variation of WS- > Addressing. These two policies must match. Thus, the provider says: > > <Policy> > <ws-addressing> > <Policy/> > </ws-addressing> > </Policy> > > And the requester says: > > <Policy> > <ws-addressing> > <Policy> > <ws-addressing-specific-assertions> > </Policy> > </ws-addressing> > </Policy> > > These two policies must match in the intersection algorithm. The > text that prevents them from matching says: > > “If either assertion contains a nested policy expression, the two > assertions are compatible if they both have a nested policy > expression and the alternative in the nested policy expression of > one is compatible with the alternative in the nested policy > expression of the other.” > > In the note below (which Glen +1ed), Maryann suggests that a Policy > with just the <ws-addressing> assertion is expressing a constraint > which can be met in several ways – at least that’s how I read her > note. She does not, however, suggest concrete wording. Here are a > couple of suggestions: > 1. Change the quoted text above to say that matching of nested > policy assertions is dependent on the semantics of the parent > assertion. This way, WS-Addressing could define its own semantics > for matching and solving their usecase. > 2. Bob Freund suggested a wildcard assertion that could be included > within a nested Policy that would match any other nested policy. > > All the best, Ashok > > > > > From: Maryann Hondo [mailto:mhondo@us.ibm.com] > Sent: Wednesday, April 04, 2007 7:37 AM > To: Glen Daniels > Cc: Ashok Malhotra; Monica J. Martin; public-ws-policy@w3.org; > public-ws-policy-request@w3.org > Subject: RE: Are nested assertions part of the policy vocabulary? > > > Glen, > I think the problem is that the assertions are really trying to > express a constraint .....and should be something > like "nonAnonymousONLY". so the absence, is not the absence of > support but rather the absence of the constraint. > > And in this case I think the " no constraints" is sufficient for > your use case > The client has no constraints on what the provider will do. > That should intersect with all the provider options. > > I hope we can talk this through on the call. > Maryann > > "Glen Daniels" <gdaniels@progress.com> > Sent by: public-ws-policy-request@w3.org > > 04/04/2007 09:59 AM > > > > To > > "Monica J. Martin" <Monica.Martin@Sun.COM>, "Ashok Malhotra" > <ashok.malhotra@oracle.com> > > cc > > <public-ws-policy@w3.org> > > Subject > > RE: Are nested assertions part of the policy vocabulary? > > > > > > > > > > > > Hi Monica: > > I'm a little confused here. Are you and MaryAnn indeed saying that > selecting the first alternative in Ashok's (and indeed WS- > Addressing's) > example means that neither anonymous nor non-anonymous responses are > allowed? That certainly isn't the goal of the policy, and indeed this > interpretation would seem to disallow ANY kind of response. > > How would you write a consumer policy which was meant to successfully > intersect with endpoint policies which either a) express nothing about > anonymous responses, b) express a requirement for anonymous responses, > or c) express a requirement for non-anonymous responses? > > --Glen > > > -----Original Message----- > > From: public-ws-policy-request@w3.org > > [mailto:public-ws-policy-request@w3.org] On Behalf Of Monica J. > Martin > > Sent: Tuesday, April 03, 2007 5:30 PM > > To: Ashok Malhotra > > Cc: public-ws-policy@w3.org > > Subject: Re: Are nested assertions part of the policy vocabulary? > > > > > > > > hondo: Ashok, > > My response is yes. > > Maryann > > > > >>mm1: Ashok, agree with MaryAnn on question one answer - this point > > has been made that the nested assertions are part of the policy > > vocabulary. Yet, an important point associated with this surrounds > > whether or not the guiding conformance [1] requires support for > those > > response types - that provides substance on your second > > question and its > > disposition.. [2] > > > > We also state in Section 3.2 Framework before the statement you > cite: > > > > An alternative with zero assertions indicates no behaviors. An > > alternative with one or more assertions indicates > > behaviors implied > > by those, and only those assertions. > > > > Remember: (no position just stating the action-result), we augmented > > this text in > > http://www.w3.org/Bugs/Public/show_bug.cgi?id=3602 Issue 3602. > > > > [1] WS-A specification(s) referenced > > [2] Related to empty and the base assumptions of WS-Addressing. > > > > >Ashok Malhotra wrote: Section 3.2 of Framework says "When an > > assertion whose type is part of the policy's vocabulary is > > not included in a policy alternative, the policy alternative > > without the assertion type indicates that the assertion will > > not be applied in the context of the attached policy > > subject." Are nested assertions included in the policy's > > vocabulary? > > > > > >Consider the following example: > > > > > > <wsp:ExactlyOne> > > > <wsp:All> > > > <wsam:Addressing> <-- supports all response > > types --> Alternative 1 > > > <wsp:Policy> > > > </wsp:Policy> > > > </wsam:Addressing> > > > </wsp:All> > > > <wsp:All> > > > <wsam:Addressing> <-- requires Anonymous > > responses --> Alternative 2 > > > <wsp:Policy> > > > <AnonymousResponses /> > > > </wsp:Policy> > > > </wsam:Addressing> > > > </wsp:All> > > > <wsp:All> > > > <wsam:Addressing> <- requires nonAnonymous > > responses --> Alternative 3 > > > <wsp:Policy> > > > <NonAnonymousResponses /> > > > </wsp:Policy> > > > </wsam:Addressing> > > > </wsp:All> > > > </wsp:ExactlyOne> > > ></wsp:Policy> > > > > > >If Alternative 1 is selected, does this mean that neither > > Anonymous responses nor NonAnonymous responses are allowed as > > both are part of the policy vocabulary but not included in > > the alternative. > > > > > >All the best, Ashok > > > > > > > > > > > > > > > > > > <image003.gif> > >
Received on Wednesday, 9 May 2007 14:33:24 UTC