Re: Ordering of Assertions: Comment on WS-Policy Primer LCWD from Sergey Beryozkin on 2007-10-15 (public-ws-policy@w3.org from October 2007)

From: Sergey Beryozkin <sergey.beryozkin@iona.com>
Date: Mon, 15 Oct 2007 10:53:00 +0100
To: "Asir Vedamuthu" <asirveda@microsoft.com>, "David Orchard" <dorchard@bea.com>, <ashok.malhotra@oracle.com>
Cc: <public-ws-policy@w3.org>
Message-ID: <00ad01c80f11$2bfd2450$e002050a@pcgroupiona.com>
Hi Asir

>>>(a) Order of assertions in a policy alternative and order in which behaviors are applied are TWO distinct concepts (let's not conflate them).

It's a good point and I hope all agree that it's the case. Furthemore, I strongly believe that order in which behaviors are applied is out of scope for the policy framework. It's up to the higher-level components to ensure the assertions are applied properly, as governed by corresponding specifications and other domain-specific conventions.

I think the subject line of this email is somewhat confusing. It should be something like :

"Order of behaviors : how can a policy author pass a hint to the consumer" or something like that.

As I said, I agree that the way WS-Security-Policy uses assertions to inform the consumer how some behaviors need to be ordered is good enough.

However, Bob Natale's email [1] made me think that may be it's not too bad at all if the policy author could indicate, possibly using some kind of attribute (in combinations with ordering the assertions themselves), that this is how policy behaviors need to be applied. As far as the policy framework is concerned, it treats the policy assertions as usual, it does not care about their ordering inside a given alternative, for ex, when dealing with the intersection.

But then an entity which interacts with the policy engine (runtime, UI tool, etc) can check, in a uniform way, rather than consuming domain-specific assertions, in what order to apply the behaviors. 

Imagine a WS-SecurityPolicy 3.0 allowing for this policy :

<Policy>
  <sp:AsymmetricBinding>
    <Policy xmlns:wspe="http://www.w3.org/ns/ws-policy/extensions" wspe:ordering="mandated">
     ...
     <sp:IncludeTimestamp />
     <!-- not needed anymore -->
     <!--
     <sp:EncryptBeforeSigning />
     -->
     <sp:EncryptSignature />
     <sp:ProtectTokens />
   </Policy>
  </sp:AsymmetricBinding>
  <wsam:Addressing>...</wsam:Addressing>
  ...
</Policy>

Assertions like <sp:EncryptBeforeSigning /> allow policy authors to put all the relevant assertions in any order, but practically it does not matter, as the security runtime will know when to in what order to apply the related behaviors.
This is a hypothetical example, and I know it's unlikely to happen in case of WS-SecurityPolicy...

I don't have enough experience with complicated policies, and I can't even come up with a realistic example, but it seems that if the policy author could indicate in a simple way, without having to come up with custom assertions, the desired ordering of behaviors, then it will make the life for consumers easier too. 

Once again, I believe it's out of scope for the policy framework.

Thanks, Sergey

[1] http://lists.w3.org/Archives/Public/public-ws-policy/2007Oct/0010.html



----- Original Message ----- 
From: "Asir Vedamuthu" <asirveda@microsoft.com>
To: "David Orchard" <dorchard@bea.com>; <ashok.malhotra@oracle.com>
Cc: <public-ws-policy@w3.org>
Sent: Monday, October 15, 2007 12:21 AM
Subject: RE: Ordering of Assertions: Comment on WS-Policy Primer LCWD



Thank you Dave for asking the right question and keeping the discussion focused!


Replaying Dave's key question - when does the order of assertions in a policy alternative matter? Reading through the mail archive (~19 mails), it appears that no one has answered your question with "real" assertions.

I want to be super clear on facts ...

(a) Order of assertions in a policy alternative and order in which behaviors are applied are TWO distinct concepts (let's not conflate them).

The former is governed by the WS-Policy Framework [1] - says unordered.

The latter (order in which behaviors such as addressing, security, reliability and transaction is applied) is governed by SOAP and SOAP-based protocols [2]. The order of headers and body processing is at the DISCRETION of the SOAP node and SOAP headers may be used to control the order of processing.

(b) Order of assertions in a policy alternative has NO bearing on the order in which behaviors are applied [1].

(c) The WS-SecurityPolicy spec does NOT rely on the order of assertions in a policy alternative [3].

(d) The WS-Security spec provides producers with an option to use [encrypt, sign] or [sign, encrypt] [4]. The WS-SecurityPolicy spec provides assertions [5] to indicate the order of these cryptographic operations (runtime behavior) on a message.

Let's look at examples with "real" assertions. The order of assertions in the following policies P1-P4 (and their nested policies) are different but the policies are effectively the SAME.

P1)
<Policy>
  <sp:AsymmetricBinding>
    <Policy>
     ...
     <sp:IncludeTimestamp />
     <sp:EncryptBeforeSigning />
     <sp:EncryptSignature />
     <sp:ProtectTokens />
   </Policy>
  </sp:AsymmetricBinding>
  <wsam:Addressing>...</wsam:Addressing>
  ...
</Policy>

P2)
<Policy>
  <wsam:Addressing>...</wsam:Addressing>
  <sp:AsymmetricBinding>
    <Policy>
     ...
     <sp:IncludeTimestamp />
     <sp:EncryptBeforeSigning />
     <sp:EncryptSignature />
     <sp:ProtectTokens />
   </Policy>
  </sp:AsymmetricBinding>
  ...
</Policy>

P3)
<Policy>
  <wsam:Addressing>...</wsam:Addressing>
  <sp:AsymmetricBinding>
    <Policy>
     ...
     <sp:IncludeTimestamp />
     <sp:EncryptSignature />
     <sp:ProtectTokens />
     <sp:EncryptBeforeSigning />
   </Policy>
  </sp:AsymmetricBinding>
  ...
</Policy>

P4)
<Policy>
  <wsam:Addressing>...</wsam:Addressing>
  <sp:AsymmetricBinding>
    <Policy>
     ...
     <sp:EncryptBeforeSigning />
     <sp:IncludeTimestamp />
     <sp:EncryptSignature />
     <sp:ProtectTokens />
   </Policy>
  </sp:AsymmetricBinding>
  ...
</Policy>

[1] http://www.w3.org/TR/2007/REC-ws-policy-20070904/#rPolicy_Alternative
[2] http://www.w3.org/TR/2003/REC-soap12-part1-20030624/#procsoapmsgs
[3] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826510
[4] WS-Security 1.1 - see section 8, lines 1173-1183 - " "Finally, if a producer wishes to sign a message before encryption, then following the ordering rules laid out in section 5, "Security Header", they SHOULD first prepend the signature element to the <wsse:Security> header, and then prepend the encryption element, ... Likewise, if a producer wishes to sign a message after encryption, they SHOULD first prepend the encryption element to the <wsse:Security> header, and then prepend the signature element." "
- http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf
[5] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826549

Regards,

Asir S Vedamuthu
Microsoft Corporation


-----Original Message-----
From: public-ws-policy-request@w3.org [mailto:public-ws-policy-request@w3.org] On Behalf Of David Orchard
Sent: Thursday, October 11, 2007 1:59 PM
To: ashok.malhotra@oracle.com
Cc: public-ws-policy@w3.org
Subject: RE: Ordering of Assertions: Comment on WS-Policy Primer LCWD


I asked my question first, and it's up to you to prove that work needs
to be done, not the other way around.  That said, you don't seem to have
any intention of answering my question as you've decided to respond to
my question with a question.  I learned from "Rosencrantz and
Guildenstern are dead" not to play the question game.

Cheers,
Dave

> -----Original Message-----
> From: ashok malhotra [mailto:ashok.malhotra@oracle.com]
> Sent: Thursday, October 11, 2007 1:33 PM
> To: David Orchard
> Cc: public-ws-policy@w3.org
> Subject: Re: Ordering of Assertions: Comment on WS-Policy Primer LCWD
>
> David:
> Please answer the question.  Is it your position that there
> are no Policies where the order in which the assertions
> within a Policy Alternative are applied is important?
>
> Ashok
>
> David Orchard wrote:
>
> >I think the onus is on you to prove something, rather than
> me to prove
> >nothing, especially if you want the WG to do something.
> >
> >I know you are arguing that some policies need ordering.
> I'm arguing
> >you need to show some policies that need ordering.
> >
> >Cheers,
> >Dave
> >
> >
> >
> >>-----Original Message-----
> >>From: ashok malhotra [mailto:ashok.malhotra@oracle.com]
> >>Sent: Thursday, October 11, 2007 3:28 AM
> >>To: David Orchard
> >>Cc: public-ws-policy@w3.org
> >>Subject: Re: Ordering of Assertions: Comment on WS-Policy
> Primer LCWD
> >>
> >>I'll make it still shorter:
> >>
> >>I'm arguing that SOME policies need ordering.  The Policy Framework
> >>says so and the fact the there are ordering assertions in WS
> >>SecurityPolicy confirms this.
> >>
> >>Are you arguing that NO policies need ordering?
> >>
> >>Ashok
> >>
> >>David Orchard wrote:
> >>
> >>
> >>
> >>>I'll make my note even shorter.
> >>>
> >>>What situations are those?
> >>>
> >>>For the 2nd time, you have failed to specify a single
> situation that
> >>>requires a change to WS-Policy.  You've described a problem that
> >>>already has a solution and quotes from other people but
> >>>
> >>>
> >>those are not
> >>
> >>
> >>>answers to my question.
> >>>
> >>>In the absence of any real-world problem, the obvious thing for
> >>>WS-Policy WG to do is to close with no action.
> >>>
> >>>Cheers,
> >>>Dave
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>-----Original Message-----
> >>>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com]
> >>>>Sent: Wednesday, October 10, 2007 1:59 PM
> >>>>To: David Orchard
> >>>>Cc: public-ws-policy@w3.org
> >>>>Subject: Re: Ordering of Assertions: Comment on WS-Policy
> >>>>
> >>>>
> >>Primer LCWD
> >>
> >>
> >>>>Hi Dave:
> >>>>I used the fact that WS-SecurityPolicy discusses order to
> >>>>
> >>>>
> >>motivate the
> >>
> >>
> >>>>need for order in at least some policies.
> >>>>I also quoted from the note from Tony Rogers.
> >>>>
> >>>>
> >>Subsequently, there was
> >>
> >>
> >>>>a note from Bob Natale who agrees that order is important
> >>>>
> >>>>
> >>but does not
> >>
> >>
> >>>>like the solution I suggested.
> >>>>
> >>>>What needs to be made clear is that order is not important in all
> >>>>policies, but there are situations where it is important
> >>>>
> >>>>
> >>and for these
> >>
> >>
> >>>>situations we need a solution.
> >>>>
> >>>>Ashok
> >>>>
> >>>>David Orchard wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>-----Original Message-----
> >>>>>>From: public-ws-policy-request@w3.org
> >>>>>>[mailto:public-ws-policy-request@w3.org] On Behalf Of
> >>>>>>
> >>>>>>
> >>ashok malhotra
> >>
> >>
> >>>>>>Sent: Wednesday, October 10, 2007 9:56 AM
> >>>>>>To: public-ws-policy@w3.org
> >>>>>>Subject: Ordering of Assertions: Comment on WS-Policy
> Primer LCWD
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>><snip/>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>In many cases the
> >>>>>>order in which assertions are processed may not matter, but
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>where it
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>does matter do we need to specify a special assertion for
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>every pair
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>of assertions that need to be ordered? Clearly, this is not
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>feasible
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>as the Policy processing engine will need to be undated
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>whenever a new
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>>ordering assertion is added. So, what we need is a
> >>>>>>
> >>>>>>
> >>general-purpose
> >>
> >>
> >>>>>>ordering assertion.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>Your note jumps from assumption to conclusion to design
> with great
> >>>>>speed, indeed from assumption to conclusion within 3
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>sentences.  Those
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>3 fleety sentences do not answer my previous emails central
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>question of
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>"when does order matter?".  In case my question was
> >>>>>
> >>>>>
> >>missed, perhaps
> >>
> >>
> >>>>>because of burdensom length of my previous message, I'll ask
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>again more
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>succinctly:
> >>>>>
> >>>>>When does order matter?
> >>>>>
> >>>>>Until the use case is agreed by the WG, design discussions
> >>>>>
> >>>>>
> >>are very
> >>
> >>
> >>>>>premature IMHO.
> >>>>>
> >>>>>Cheers,
> >>>>>Dave
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>--
> >>>>All the best, Ashok
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>--
> >>All the best, Ashok
> >>
> >>
> >>
>
>
> --
> All the best, Ashok
>

----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
Received on Monday, 15 October 2007 09:54:00 UTC