- From: Natale, Bob <RNATALE@mitre.org>
- Date: Mon, 15 Oct 2007 08:56:48 -0400
- To: "Sergey Beryozkin" <sergey.beryozkin@iona.com>, "David Orchard" <dorchard@bea.com>, "Ashok Malhotra" <ashok.malhotra@oracle.com>, "Asir Vedamuthu" <asirveda@microsoft.com>
- Cc: <public-ws-policy@w3.org>
- Message-ID: <4915F014FDD99049A9C3A8C1B832004F02333B7A@IMCSRV2.MITRE.ORG>
Hi Sergey, Thanks for your thoughtful follow-ups on this topic. - I would concede that if as a last call issue ordering would cause serious disruption to the approval process, then it is out of scope for the policy framework, given the rules of engagement in place to date. (For the record, I have been on the other end of managing the "Johnny-come-lately" radical suggestions near the end of long and laborious SDO consensus-building efforts -- it's rarely pleasant. :) - Using an extension attribute approach is fine with me. Now, given those two actionable statements, what follows is just for background consideration (i.e., IMHO and FWIW): - As noted in your example (sp:EncryptBeforeSigning /) to Asir today, any arbitrary desired or required ordering can be crafted as an assertion. However, this has two defects: -- For verification and reuse purposes, assertions should be as atomic as possible -- Some policies in large environments supporting diverse missions of multiple priorities will be, of necessity, extremely complex, and ordering (both recommended and mandatory) will be essential to policy authors in those environments: --- crafting individual assertions to control ordering will quickly become impractical in those cases --- having to use a multiplicity of domain-specific ordering syntaxes will also become impractical in those cases - The Policy Framework rules of engagement should have included the notion of supporting policy composition for the kinds of environments and missions referred to above. - In general, we'd like to identify errors/exceptions as early as possible in a system...the first line of defense for ordering errors would be the policy editing tools, the next should be as close (downstream) to the policy engine, if not the policy engine itself. Cheers, BobN ________________________________ From: Sergey Beryozkin [mailto:sergey.beryozkin@iona.com] Sent: Monday, October 15, 2007 6:12 AM To: Natale, Bob; David Orchard; Ashok Malhotra Cc: public-ws-policy@w3.org Subject: Re: Ordering of Assertions: Comment on WS-Policy Primer LCWD Hi Bob I'm thinking that may be a single value for an attribute like this one would do. I'm fime with "mandated" for ex. Furthermore I believe any enforcement is out of scope for the policy framework, as it's not the engine's responsibilty to enforce any behaviors associated with given policy assertions. Given this, I feel an attribute like this is kind of extension to the core policy schema because whatever in the core schema defines has some meaning to the policy engine. For example : <Policy wspe:ordering="mandated" xmlns:wspe="www.w3.org/ms/ws-policy/extensions"> <A/> <B/> </Policy> Basically, we're just using an extension attribute (thanks to the extensibilty available through the core schema) to convey the policy author's hint to the consumer entity which interacts with the policy engine. As far the policy engine is concerned, it does not know what wspe:ordering="mandated" means. On the other hand, the entity which understands this extension is given a hint that the ordering of behaviors is the same as the order of corresponding assertions. I don't think though that a consumer which understands this extension needs to throw exceptions. It's too strict. For ex, policy unaware consumer can stil ltalk to the policy-aware provider, it's up to the provider to verify and enforce that the consumer has done things as expected... So I'm kind of positive about an extension like this one. What bothers :-) me a bit though : is it really a last call issue given that it's out of scope for the framework ? Do you agree it's out of scope for the framework ? Thanks, Sergey ----- Original Message ----- From: Natale, Bob <mailto:RNATALE@mitre.org> To: Sergey Beryozkin <mailto:sergey.beryozkin@iona.com> ; David Orchard <mailto:dorchard@bea.com> ; Ashok Malhotra <mailto:ashok.malhotra@oracle.com> Cc: public-ws-policy@w3.org Sent: Friday, October 12, 2007 5:44 PM Subject: RE: Ordering of Assertions: Comment on WS-Policy Primer LCWD Hi Sergey, As far as I can tell now, your suggested approach would satisfy my needs -- with one possible addition: Add "mandatory" (along with "recommended") as a possible value for "ordering"...the meaning being that the client must either observe the ordering or, if unable or unwilling to do so, reject the policy. For the domain in which I work, being able to explicitly declare policymaker intent at the highest level in a clear and simple way is a prerequisite to broader and deeper implementation of policy-based management. Lower-level restrictions on how that policy might get implemented, as long as they are known up-front, can be accommodated. Cheers, BobN ________________________________ From: Sergey Beryozkin [mailto:sergey.beryozkin@iona.com] Sent: Friday, October 12, 2007 12:27 PM To: Natale, Bob; David Orchard; Ashok Malhotra Cc: public-ws-policy@w3.org Subject: Re: Ordering of Assertions: Comment on WS-Policy Primer LCWD Hi As far as I understand, you believe that in those cases when it matters a solution at a framework level would be more efficient than a solution involving domain-specific policy assertions. It might be more efficient indeed, as far as a generic hint is concerned. I'd say that it won't make more efficient with respect to what happens afterwards, with what runtime/engine actually does with this hint. Nonetheless, if there were a push for a solution at the framework level in v.next then I'd suggest something like : <wsp:Policy> <wsp:All acme:ordering="recommended"> <B/> <A/> </wsp:All> </wsp:Policy> acme:ordering="recommended" can be placed on any WS-Policy language operator in which case the rule would be for it to propogate down to all <All> descendants at the normalization time. This does not affect the intersection. acme:ordering="recommended" is just a hint, the consumer still has to verify it makes sense and is free to ignore this hint. For ex, a consumer dealing with RM and WS-Security may notice this hint or may not. Say, when it encounters <wsp:Policy acme:ordering="recommended"> <WS-Security/> <WS-RM/> </wsp:Policy> then it can either reject this policy or ignore the hint and do WS-RM first and only then do WS-Security. What the consumer does is out of scope for the framework. Using an attribute like acme:ordering (wsp:ordering) would be much less intrusive, much less complex and more neutral than introducing a general purpose ordering operator. Cheers, Sergey ----- Original Message ----- From: "Natale, Bob" <RNATALE@mitre.org <mailto:RNATALE@mitre.org> > To: "David Orchard" <dorchard@bea.com <mailto:dorchard@bea.com> >; <ashok.malhotra@oracle.com <mailto:ashok.malhotra@oracle.com> > Cc: <public-ws-policy@w3.org <mailto:public-ws-policy@w3.org> > Sent: Thursday, October 11, 2007 10:19 PM Subject: RE: Ordering of Assertions: Comment on WS-Policy Primer LCWD Ok, Dave, I'll bite...although I have to say that Ashok's original existence proofs (recognition in the Policy Framework and realization in SecurityPolicy) strike me as sufficient basis for having to prove the counter-argument rather than the pro-argument. And, yes, I can think of multiple ways to achieve the objective of policy ordering without adding an operator-like feature to WS-Policy (e.g., multiple domain-specific ordering constructs, presumed run-time engine omniscience, etc.)...they just all seem less efficient and intuitive to me. So, for a very generic data processing context, I might want instances of the following set of policies (sometimes in recursive relationships): - someCollectionPolicy - someFilteringPolicy - someAggregationPolicy - someCorrelationPolicy - someTaggingPolicy - someSortingPolicy - someClassificationPolicy - someStoragePolicy - someRetentionPolicy (which is also inherently someDeletionPolicy) The order in which some of these policies are applied in some data processing contexts could be significant, it would seem to me...? Examples from the SCA Policy realm also come to mind. Actually, many do, especially when considering dynamically constructed digital run-time policies in response to changing real-world circumstances (e.g., in the network management realm). Cheers, BobN -----Original Message----- From: public-ws-policy-request@w3.org <mailto:public-ws-policy-request@w3.org> [mailto:public-ws-policy-request@w3.org] On Behalf Of David Orchard Sent: Thursday, October 11, 2007 4:59 PM To: ashok.malhotra@oracle.com <mailto:ashok.malhotra@oracle.com> Cc: public-ws-policy@w3.org <mailto:public-ws-policy@w3.org> Subject: RE: Ordering of Assertions: Comment on WS-Policy Primer LCWD I asked my question first, and it's up to you to prove that work needs to be done, not the other way around. That said, you don't seem to have any intention of answering my question as you've decided to respond to my question with a question. I learned from "Rosencrantz and Guildenstern are dead" not to play the question game. Cheers, Dave > -----Original Message----- > From: ashok malhotra [mailto:ashok.malhotra@oracle.com] > Sent: Thursday, October 11, 2007 1:33 PM > To: David Orchard > Cc: public-ws-policy@w3.org <mailto:public-ws-policy@w3.org> > Subject: Re: Ordering of Assertions: Comment on WS-Policy Primer LCWD > > David: > Please answer the question. Is it your position that there > are no Policies where the order in which the assertions > within a Policy Alternative are applied is important? > > Ashok > > David Orchard wrote: > > >I think the onus is on you to prove something, rather than > me to prove > >nothing, especially if you want the WG to do something. > > > >I know you are arguing that some policies need ordering. > I'm arguing > >you need to show some policies that need ordering. > > > >Cheers, > >Dave > > > > > > > >>-----Original Message----- > >>From: ashok malhotra [mailto:ashok.malhotra@oracle.com] > >>Sent: Thursday, October 11, 2007 3:28 AM > >>To: David Orchard > >>Cc: public-ws-policy@w3.org <mailto:public-ws-policy@w3.org> > >>Subject: Re: Ordering of Assertions: Comment on WS-Policy > Primer LCWD > >> > >>I'll make it still shorter: > >> > >>I'm arguing that SOME policies need ordering. The Policy Framework > >>says so and the fact the there are ordering assertions in WS > >>SecurityPolicy confirms this. > >> > >>Are you arguing that NO policies need ordering? > >> > >>Ashok > >> > >>David Orchard wrote: > >> > >> > >> > >>>I'll make my note even shorter. > >>> > >>>What situations are those? > >>> > >>>For the 2nd time, you have failed to specify a single > situation that > >>>requires a change to WS-Policy. You've described a problem that > >>>already has a solution and quotes from other people but > >>> > >>> > >>those are not > >> > >> > >>>answers to my question. > >>> > >>>In the absence of any real-world problem, the obvious thing for > >>>WS-Policy WG to do is to close with no action. > >>> > >>>Cheers, > >>>Dave > >>> > >>> > >>> > >>> > >>> > >>>>-----Original Message----- > >>>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com] > >>>>Sent: Wednesday, October 10, 2007 1:59 PM > >>>>To: David Orchard > >>>>Cc: public-ws-policy@w3.org <mailto:public-ws-policy@w3.org> > >>>>Subject: Re: Ordering of Assertions: Comment on WS-Policy > >>>> > >>>> > >>Primer LCWD > >> > >> > >>>>Hi Dave: > >>>>I used the fact that WS-SecurityPolicy discusses order to > >>>> > >>>> > >>motivate the > >> > >> > >>>>need for order in at least some policies. > >>>>I also quoted from the note from Tony Rogers. > >>>> > >>>> > >>Subsequently, there was > >> > >> > >>>>a note from Bob Natale who agrees that order is important > >>>> > >>>> > >>but does not > >> > >> > >>>>like the solution I suggested. > >>>> > >>>>What needs to be made clear is that order is not important in all > >>>>policies, but there are situations where it is important > >>>> > >>>> > >>and for these > >> > >> > >>>>situations we need a solution. > >>>> > >>>>Ashok > >>>> > >>>>David Orchard wrote: > >>>> > >>>> > >>>> > >>>> > >>>> > >>>>>>-----Original Message----- > >>>>>>From: public-ws-policy-request@w3.org <mailto:public-ws-policy-request@w3.org> > >>>>>>[mailto:public-ws-policy-request@w3.org] On Behalf Of > >>>>>> > >>>>>> > >>ashok malhotra > >> > >> > >>>>>>Sent: Wednesday, October 10, 2007 9:56 AM > >>>>>>To: public-ws-policy@w3.org <mailto:public-ws-policy@w3.org> > >>>>>>Subject: Ordering of Assertions: Comment on WS-Policy > Primer LCWD > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>><snip/> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>In many cases the > >>>>>>order in which assertions are processed may not matter, but > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>where it > >>>> > >>>> > >>>> > >>>> > >>>>>>does matter do we need to specify a special assertion for > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>every pair > >>>> > >>>> > >>>> > >>>> > >>>>>>of assertions that need to be ordered? Clearly, this is not > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>feasible > >>>> > >>>> > >>>> > >>>> > >>>>>>as the Policy processing engine will need to be undated > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>whenever a new > >>>> > >>>> > >>>> > >>>> > >>>>>>ordering assertion is added. So, what we need is a > >>>>>> > >>>>>> > >>general-purpose > >> > >> > >>>>>>ordering assertion. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>Your note jumps from assumption to conclusion to design > with great > >>>>>speed, indeed from assumption to conclusion within 3 > >>>>> > >>>>> > >>>>> > >>>>> > >>>>sentences. Those > >>>> > >>>> > >>>> > >>>> > >>>>>3 fleety sentences do not answer my previous emails central > >>>>> > >>>>> > >>>>> > >>>>> > >>>>question of > >>>> > >>>> > >>>> > >>>> > >>>>>"when does order matter?". In case my question was > >>>>> > >>>>> > >>missed, perhaps > >> > >> > >>>>>because of burdensom length of my previous message, I'll ask > >>>>> > >>>>> > >>>>> > >>>>> > >>>>again more > >>>> > >>>> > >>>> > >>>> > >>>>>succinctly: > >>>>> > >>>>>When does order matter? > >>>>> > >>>>>Until the use case is agreed by the WG, design discussions > >>>>> > >>>>> > >>are very > >> > >> > >>>>>premature IMHO. > >>>>> > >>>>>Cheers, > >>>>>Dave > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>-- > >>>>All the best, Ashok > >>>> > >>>> > >>>> > >>>> > >>>> > >>> > >>> > >>> > >>> > >>-- > >>All the best, Ashok > >> > >> > >> > > > -- > All the best, Ashok > ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
Received on Monday, 15 October 2007 12:57:10 UTC