- From: David Orchard <dorchard@bea.com>
- Date: Mon, 15 Oct 2007 12:37:00 -0700
- To: <ashok.malhotra@oracle.com>, "Asir Vedamuthu" <asirveda@microsoft.com>
- Cc: <public-ws-policy@w3.org>
Reductive, but practical. I don't remember you or anybody else suggesting a review from a group that is doing non-SOAP messages and headers and using Policy as metadata. Somehow I'm thinking that we aren't going to get a flurry of comments from REST centric folks for what WS-Policy needs to do for them. Cheers, Dave > -----Original Message----- > From: ashok malhotra [mailto:ashok.malhotra@oracle.com] > Sent: Monday, October 15, 2007 7:31 AM > To: Asir Vedamuthu > Cc: David Orchard; public-ws-policy@w3.org > Subject: Re: Ordering of Assertions: Comment on WS-Policy Primer LCWD > > Asir: > It is reductive to think of WS-Policy only in terms of its > applicability to SOAP messages and headers. It applies > equally well to other message formats and, more importantly, > can be used to control and configure many other aspects of > web services. > > Ashok > > Asir Vedamuthu wrote: > > >Thank you Dave for asking the right question and keeping the > discussion focused! > > > > > >Replaying Dave's key question - when does the order of > assertions in a policy alternative matter? Reading through > the mail archive (~19 mails), it appears that no one has > answered your question with "real" assertions. > > > >I want to be super clear on facts ... > > > >(a) Order of assertions in a policy alternative and order in > which behaviors are applied are TWO distinct concepts (let's > not conflate them). > > > >The former is governed by the WS-Policy Framework [1] - says > unordered. > > > >The latter (order in which behaviors such as addressing, > security, reliability and transaction is applied) is governed > by SOAP and SOAP-based protocols [2]. The order of headers > and body processing is at the DISCRETION of the SOAP node and > SOAP headers may be used to control the order of processing. > > > >(b) Order of assertions in a policy alternative has NO > bearing on the order in which behaviors are applied [1]. > > > >(c) The WS-SecurityPolicy spec does NOT rely on the order of > assertions in a policy alternative [3]. > > > >(d) The WS-Security spec provides producers with an option > to use [encrypt, sign] or [sign, encrypt] [4]. The > WS-SecurityPolicy spec provides assertions [5] to indicate > the order of these cryptographic operations (runtime > behavior) on a message. > > > >Let's look at examples with "real" assertions. The order of > assertions in the following policies P1-P4 (and their nested > policies) are different but the policies are effectively the SAME. > > > >P1) > ><Policy> > > <sp:AsymmetricBinding> > > <Policy> > > ... > > <sp:IncludeTimestamp /> > > <sp:EncryptBeforeSigning /> > > <sp:EncryptSignature /> > > <sp:ProtectTokens /> > > </Policy> > > </sp:AsymmetricBinding> > > <wsam:Addressing>...</wsam:Addressing> > > ... > ></Policy> > > > >P2) > ><Policy> > > <wsam:Addressing>...</wsam:Addressing> > > <sp:AsymmetricBinding> > > <Policy> > > ... > > <sp:IncludeTimestamp /> > > <sp:EncryptBeforeSigning /> > > <sp:EncryptSignature /> > > <sp:ProtectTokens /> > > </Policy> > > </sp:AsymmetricBinding> > > ... > ></Policy> > > > >P3) > ><Policy> > > <wsam:Addressing>...</wsam:Addressing> > > <sp:AsymmetricBinding> > > <Policy> > > ... > > <sp:IncludeTimestamp /> > > <sp:EncryptSignature /> > > <sp:ProtectTokens /> > > <sp:EncryptBeforeSigning /> > > </Policy> > > </sp:AsymmetricBinding> > > ... > ></Policy> > > > >P4) > ><Policy> > > <wsam:Addressing>...</wsam:Addressing> > > <sp:AsymmetricBinding> > > <Policy> > > ... > > <sp:EncryptBeforeSigning /> > > <sp:IncludeTimestamp /> > > <sp:EncryptSignature /> > > <sp:ProtectTokens /> > > </Policy> > > </sp:AsymmetricBinding> > > ... > ></Policy> > > > >[1] > >http://www.w3.org/TR/2007/REC-ws-policy-20070904/#rPolicy_Alternative > >[2] http://www.w3.org/TR/2003/REC-soap12-part1-20030624/#procsoapmsgs > >[3] > >http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws- > securitypo > >licy-1.2-spec-os.html#_Toc161826510 > >[4] WS-Security 1.1 - see section 8, lines 1173-1183 - " > "Finally, if a producer wishes to sign a message before > encryption, then following the ordering rules laid out in > section 5, "Security Header", they SHOULD first prepend the > signature element to the <wsse:Security> header, and then > prepend the encryption element, ... Likewise, if a producer > wishes to sign a message after encryption, they SHOULD first > prepend the encryption element to the <wsse:Security> header, > and then prepend the signature element." " > >- > >http://www.oasis-open.org/committees/download.php/16790/wss-v > 1.1-spec-o > >s-SOAPMessageSecurity.pdf [5] > >http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws- > securitypo > >licy-1.2-spec-os.html#_Toc161826549 > > > >Regards, > > > >Asir S Vedamuthu > >Microsoft Corporation > > > > > >-----Original Message----- > >From: public-ws-policy-request@w3.org > >[mailto:public-ws-policy-request@w3.org] On Behalf Of David Orchard > >Sent: Thursday, October 11, 2007 1:59 PM > >To: ashok.malhotra@oracle.com > >Cc: public-ws-policy@w3.org > >Subject: RE: Ordering of Assertions: Comment on WS-Policy Primer LCWD > > > > > >I asked my question first, and it's up to you to prove that > work needs > >to be done, not the other way around. That said, you don't seem to > >have any intention of answering my question as you've decided to > >respond to my question with a question. I learned from "Rosencrantz > >and Guildenstern are dead" not to play the question game. > > > >Cheers, > >Dave > > > > > > > >>-----Original Message----- > >>From: ashok malhotra [mailto:ashok.malhotra@oracle.com] > >>Sent: Thursday, October 11, 2007 1:33 PM > >>To: David Orchard > >>Cc: public-ws-policy@w3.org > >>Subject: Re: Ordering of Assertions: Comment on WS-Policy > Primer LCWD > >> > >>David: > >>Please answer the question. Is it your position that there are no > >>Policies where the order in which the assertions within a Policy > >>Alternative are applied is important? > >> > >>Ashok > >> > >>David Orchard wrote: > >> > >> > >> > >>>I think the onus is on you to prove something, rather than > >>> > >>> > >>me to prove > >> > >> > >>>nothing, especially if you want the WG to do something. > >>> > >>>I know you are arguing that some policies need ordering. > >>> > >>> > >>I'm arguing > >> > >> > >>>you need to show some policies that need ordering. > >>> > >>>Cheers, > >>>Dave > >>> > >>> > >>> > >>> > >>> > >>>>-----Original Message----- > >>>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com] > >>>>Sent: Thursday, October 11, 2007 3:28 AM > >>>>To: David Orchard > >>>>Cc: public-ws-policy@w3.org > >>>>Subject: Re: Ordering of Assertions: Comment on WS-Policy > >>>> > >>>> > >>Primer LCWD > >> > >> > >>>>I'll make it still shorter: > >>>> > >>>>I'm arguing that SOME policies need ordering. The Policy > Framework > >>>>says so and the fact the there are ordering assertions in WS > >>>>SecurityPolicy confirms this. > >>>> > >>>>Are you arguing that NO policies need ordering? > >>>> > >>>>Ashok > >>>> > >>>>David Orchard wrote: > >>>> > >>>> > >>>> > >>>> > >>>> > >>>>>I'll make my note even shorter. > >>>>> > >>>>>What situations are those? > >>>>> > >>>>>For the 2nd time, you have failed to specify a single > >>>>> > >>>>> > >>situation that > >> > >> > >>>>>requires a change to WS-Policy. You've described a problem that > >>>>>already has a solution and quotes from other people but > >>>>> > >>>>> > >>>>> > >>>>> > >>>>those are not > >>>> > >>>> > >>>> > >>>> > >>>>>answers to my question. > >>>>> > >>>>>In the absence of any real-world problem, the obvious thing for > >>>>>WS-Policy WG to do is to close with no action. > >>>>> > >>>>>Cheers, > >>>>>Dave > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>-----Original Message----- > >>>>>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com] > >>>>>>Sent: Wednesday, October 10, 2007 1:59 PM > >>>>>>To: David Orchard > >>>>>>Cc: public-ws-policy@w3.org > >>>>>>Subject: Re: Ordering of Assertions: Comment on WS-Policy > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>Primer LCWD > >>>> > >>>> > >>>> > >>>> > >>>>>>Hi Dave: > >>>>>>I used the fact that WS-SecurityPolicy discusses order to > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>motivate the > >>>> > >>>> > >>>> > >>>> > >>>>>>need for order in at least some policies. > >>>>>>I also quoted from the note from Tony Rogers. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>Subsequently, there was > >>>> > >>>> > >>>> > >>>> > >>>>>>a note from Bob Natale who agrees that order is important > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>but does not > >>>> > >>>> > >>>> > >>>> > >>>>>>like the solution I suggested. > >>>>>> > >>>>>>What needs to be made clear is that order is not > important in all > >>>>>>policies, but there are situations where it is important > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>and for these > >>>> > >>>> > >>>> > >>>> > >>>>>>situations we need a solution. > >>>>>> > >>>>>>Ashok > >>>>>> > >>>>>>David Orchard wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>-----Original Message----- > >>>>>>>>From: public-ws-policy-request@w3.org > >>>>>>>>[mailto:public-ws-policy-request@w3.org] On Behalf Of > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>ashok malhotra > >>>> > >>>> > >>>> > >>>> > >>>>>>>>Sent: Wednesday, October 10, 2007 9:56 AM > >>>>>>>>To: public-ws-policy@w3.org > >>>>>>>>Subject: Ordering of Assertions: Comment on WS-Policy > >>>>>>>> > >>>>>>>> > >>Primer LCWD > >> > >> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>><snip/> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>>In many cases the > >>>>>>>>order in which assertions are processed may not matter, but > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>where it > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>does matter do we need to specify a special assertion for > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>every pair > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>of assertions that need to be ordered? Clearly, this is not > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>feasible > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>as the Policy processing engine will need to be undated > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>whenever a new > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>ordering assertion is added. So, what we need is a > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>general-purpose > >>>> > >>>> > >>>> > >>>> > >>>>>>>>ordering assertion. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>Your note jumps from assumption to conclusion to design > >>>>>>> > >>>>>>> > >>with great > >> > >> > >>>>>>>speed, indeed from assumption to conclusion within 3 > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>sentences. Those > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>3 fleety sentences do not answer my previous emails central > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>question of > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>"when does order matter?". In case my question was > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>missed, perhaps > >>>> > >>>> > >>>> > >>>> > >>>>>>>because of burdensom length of my previous message, I'll ask > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>again more > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>succinctly: > >>>>>>> > >>>>>>>When does order matter? > >>>>>>> > >>>>>>>Until the use case is agreed by the WG, design discussions > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>are very > >>>> > >>>> > >>>> > >>>> > >>>>>>>premature IMHO. > >>>>>>> > >>>>>>>Cheers, > >>>>>>>Dave > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>-- > >>>>>>All the best, Ashok > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>-- > >>>>All the best, Ashok > >>>> > >>>> > >>>> > >>>> > >>>> > >>-- > >>All the best, Ashok > >> > >> > >> > > > > > > > > > > > -- > All the best, Ashok >
Received on Monday, 15 October 2007 19:37:40 UTC