- From: Sergey Beryozkin <sergey.beryozkin@iona.com>
- Date: Mon, 15 Oct 2007 16:11:33 +0100
- To: <ashok.malhotra@oracle.com>, "Asir Vedamuthu" <asirveda@microsoft.com>
- Cc: "David Orchard" <dorchard@bea.com>, <public-ws-policy@w3.org>
- Message-ID: <014601c80f3d$abeb5ed0$e002050a@pcgroupiona.com>
Hi Ashok Do you agree with this statement : >>(a) Order of assertions in a policy alternative and order in which behaviors are applied are TWO distinct concepts I believe the SOAP example was given to demonstrate this idea... Cheers, Sergey > > Asir: > It is reductive to think of WS-Policy only in terms of its applicability > to SOAP messages and headers. It applies equally well to other message > formats and, more importantly, can be used to control and configure many > other aspects of web services. > > Ashok > > Asir Vedamuthu wrote: > >>Thank you Dave for asking the right question and keeping the discussion focused! >> >> >>Replaying Dave's key question - when does the order of assertions in a policy alternative matter? Reading through the mail archive (~19 mails), it appears that no one has answered your question with "real" assertions. >> >>I want to be super clear on facts ... >> >>(a) Order of assertions in a policy alternative and order in which behaviors are applied are TWO distinct concepts (let's not conflate them). >> >>The former is governed by the WS-Policy Framework [1] - says unordered. >> >>The latter (order in which behaviors such as addressing, security, reliability and transaction is applied) is governed by SOAP and SOAP-based protocols [2]. The order of headers and body processing is at the DISCRETION of the SOAP node and SOAP headers may be used to control the order of processing. >> >>(b) Order of assertions in a policy alternative has NO bearing on the order in which behaviors are applied [1]. >> >>(c) The WS-SecurityPolicy spec does NOT rely on the order of assertions in a policy alternative [3]. >> >>(d) The WS-Security spec provides producers with an option to use [encrypt, sign] or [sign, encrypt] [4]. The WS-SecurityPolicy spec provides assertions [5] to indicate the order of these cryptographic operations (runtime behavior) on a message. >> >>Let's look at examples with "real" assertions. The order of assertions in the following policies P1-P4 (and their nested policies) are different but the policies are effectively the SAME. >> >>P1) >><Policy> >> <sp:AsymmetricBinding> >> <Policy> >> ... >> <sp:IncludeTimestamp /> >> <sp:EncryptBeforeSigning /> >> <sp:EncryptSignature /> >> <sp:ProtectTokens /> >> </Policy> >> </sp:AsymmetricBinding> >> <wsam:Addressing>...</wsam:Addressing> >> ... >></Policy> >> >>P2) >><Policy> >> <wsam:Addressing>...</wsam:Addressing> >> <sp:AsymmetricBinding> >> <Policy> >> ... >> <sp:IncludeTimestamp /> >> <sp:EncryptBeforeSigning /> >> <sp:EncryptSignature /> >> <sp:ProtectTokens /> >> </Policy> >> </sp:AsymmetricBinding> >> ... >></Policy> >> >>P3) >><Policy> >> <wsam:Addressing>...</wsam:Addressing> >> <sp:AsymmetricBinding> >> <Policy> >> ... >> <sp:IncludeTimestamp /> >> <sp:EncryptSignature /> >> <sp:ProtectTokens /> >> <sp:EncryptBeforeSigning /> >> </Policy> >> </sp:AsymmetricBinding> >> ... >></Policy> >> >>P4) >><Policy> >> <wsam:Addressing>...</wsam:Addressing> >> <sp:AsymmetricBinding> >> <Policy> >> ... >> <sp:EncryptBeforeSigning /> >> <sp:IncludeTimestamp /> >> <sp:EncryptSignature /> >> <sp:ProtectTokens /> >> </Policy> >> </sp:AsymmetricBinding> >> ... >></Policy> >> >>[1] http://www.w3.org/TR/2007/REC-ws-policy-20070904/#rPolicy_Alternative >>[2] http://www.w3.org/TR/2003/REC-soap12-part1-20030624/#procsoapmsgs >>[3] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826510 >>[4] WS-Security 1.1 - see section 8, lines 1173-1183 - " "Finally, if a producer wishes to sign a message before encryption, then following the ordering rules laid out in section 5, "Security Header", they SHOULD first prepend the signature element to the <wsse:Security> header, and then prepend the encryption element, ... Likewise, if a producer wishes to sign a message after encryption, they SHOULD first prepend the encryption element to the <wsse:Security> header, and then prepend the signature element." " >>- http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf >>[5] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html#_Toc161826549 >> >>Regards, >> >>Asir S Vedamuthu >>Microsoft Corporation >> >> >>-----Original Message----- >>From: public-ws-policy-request@w3.org [mailto:public-ws-policy-request@w3.org] On Behalf Of David Orchard >>Sent: Thursday, October 11, 2007 1:59 PM >>To: ashok.malhotra@oracle.com >>Cc: public-ws-policy@w3.org >>Subject: RE: Ordering of Assertions: Comment on WS-Policy Primer LCWD >> >> >>I asked my question first, and it's up to you to prove that work needs >>to be done, not the other way around. That said, you don't seem to have >>any intention of answering my question as you've decided to respond to >>my question with a question. I learned from "Rosencrantz and >>Guildenstern are dead" not to play the question game. >> >>Cheers, >>Dave >> >> >> >>>-----Original Message----- >>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com] >>>Sent: Thursday, October 11, 2007 1:33 PM >>>To: David Orchard >>>Cc: public-ws-policy@w3.org >>>Subject: Re: Ordering of Assertions: Comment on WS-Policy Primer LCWD >>> >>>David: >>>Please answer the question. Is it your position that there >>>are no Policies where the order in which the assertions >>>within a Policy Alternative are applied is important? >>> >>>Ashok >>> >>>David Orchard wrote: >>> >>> >>> >>>>I think the onus is on you to prove something, rather than >>>> >>>> >>>me to prove >>> >>> >>>>nothing, especially if you want the WG to do something. >>>> >>>>I know you are arguing that some policies need ordering. >>>> >>>> >>>I'm arguing >>> >>> >>>>you need to show some policies that need ordering. >>>> >>>>Cheers, >>>>Dave >>>> >>>> >>>> >>>> >>>> >>>>>-----Original Message----- >>>>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com] >>>>>Sent: Thursday, October 11, 2007 3:28 AM >>>>>To: David Orchard >>>>>Cc: public-ws-policy@w3.org >>>>>Subject: Re: Ordering of Assertions: Comment on WS-Policy >>>>> >>>>> >>>Primer LCWD >>> >>> >>>>>I'll make it still shorter: >>>>> >>>>>I'm arguing that SOME policies need ordering. The Policy Framework >>>>>says so and the fact the there are ordering assertions in WS >>>>>SecurityPolicy confirms this. >>>>> >>>>>Are you arguing that NO policies need ordering? >>>>> >>>>>Ashok >>>>> >>>>>David Orchard wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>I'll make my note even shorter. >>>>>> >>>>>>What situations are those? >>>>>> >>>>>>For the 2nd time, you have failed to specify a single >>>>>> >>>>>> >>>situation that >>> >>> >>>>>>requires a change to WS-Policy. You've described a problem that >>>>>>already has a solution and quotes from other people but >>>>>> >>>>>> >>>>>> >>>>>> >>>>>those are not >>>>> >>>>> >>>>> >>>>> >>>>>>answers to my question. >>>>>> >>>>>>In the absence of any real-world problem, the obvious thing for >>>>>>WS-Policy WG to do is to close with no action. >>>>>> >>>>>>Cheers, >>>>>>Dave >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>>-----Original Message----- >>>>>>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com] >>>>>>>Sent: Wednesday, October 10, 2007 1:59 PM >>>>>>>To: David Orchard >>>>>>>Cc: public-ws-policy@w3.org >>>>>>>Subject: Re: Ordering of Assertions: Comment on WS-Policy >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>Primer LCWD >>>>> >>>>> >>>>> >>>>> >>>>>>>Hi Dave: >>>>>>>I used the fact that WS-SecurityPolicy discusses order to >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>motivate the >>>>> >>>>> >>>>> >>>>> >>>>>>>need for order in at least some policies. >>>>>>>I also quoted from the note from Tony Rogers. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>Subsequently, there was >>>>> >>>>> >>>>> >>>>> >>>>>>>a note from Bob Natale who agrees that order is important >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>but does not >>>>> >>>>> >>>>> >>>>> >>>>>>>like the solution I suggested. >>>>>>> >>>>>>>What needs to be made clear is that order is not important in all >>>>>>>policies, but there are situations where it is important >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>and for these >>>>> >>>>> >>>>> >>>>> >>>>>>>situations we need a solution. >>>>>>> >>>>>>>Ashok >>>>>>> >>>>>>>David Orchard wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>>-----Original Message----- >>>>>>>>>From: public-ws-policy-request@w3.org >>>>>>>>>[mailto:public-ws-policy-request@w3.org] On Behalf Of >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>ashok malhotra >>>>> >>>>> >>>>> >>>>> >>>>>>>>>Sent: Wednesday, October 10, 2007 9:56 AM >>>>>>>>>To: public-ws-policy@w3.org >>>>>>>>>Subject: Ordering of Assertions: Comment on WS-Policy >>>>>>>>> >>>>>>>>> >>>Primer LCWD >>> >>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>><snip/> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>In many cases the >>>>>>>>>order in which assertions are processed may not matter, but >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>where it >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>>does matter do we need to specify a special assertion for >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>every pair >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>>of assertions that need to be ordered? Clearly, this is not >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>feasible >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>>as the Policy processing engine will need to be undated >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>whenever a new >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>>ordering assertion is added. So, what we need is a >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>general-purpose >>>>> >>>>> >>>>> >>>>> >>>>>>>>>ordering assertion. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>Your note jumps from assumption to conclusion to design >>>>>>>> >>>>>>>> >>>with great >>> >>> >>>>>>>>speed, indeed from assumption to conclusion within 3 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>sentences. Those >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>3 fleety sentences do not answer my previous emails central >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>question of >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>"when does order matter?". In case my question was >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>missed, perhaps >>>>> >>>>> >>>>> >>>>> >>>>>>>>because of burdensom length of my previous message, I'll ask >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>again more >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>succinctly: >>>>>>>> >>>>>>>>When does order matter? >>>>>>>> >>>>>>>>Until the use case is agreed by the WG, design discussions >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>are very >>>>> >>>>> >>>>> >>>>> >>>>>>>>premature IMHO. >>>>>>>> >>>>>>>>Cheers, >>>>>>>>Dave >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>-- >>>>>>>All the best, Ashok >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>-- >>>>>All the best, Ashok >>>>> >>>>> >>>>> >>>>> >>>>> >>>-- >>>All the best, Ashok >>> >>> >>> >> >> >> >> > > > -- > All the best, Ashok ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
Received on Monday, 15 October 2007 15:13:08 UTC