Re: Ordering of Assertions: Comment on WS-Policy Primer LCWD

Dave:
I don't know how closely you watch the SCA Policy work.  SCA uses Policy 
to match Services and References, modulo the capabilities provided by 
the binding.  It also uses it for Authorization and for providing 
various sorts of runtime configuration information.  So, to say that 
WS-Policy is used to manipulate SOAP messages is grossly underselling it.
Ashok


David Orchard wrote:

>Reductive, but practical.  I don't remember you or anybody else
>suggesting a review from a group that is doing non-SOAP messages and
>headers and using Policy as metadata.   Somehow I'm thinking that we
>aren't going to get a flurry of comments from REST centric folks for
>what WS-Policy needs to do for them.
>
>Cheers,
>Dave
>
>  
>
>>-----Original Message-----
>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com] 
>>Sent: Monday, October 15, 2007 7:31 AM
>>To: Asir Vedamuthu
>>Cc: David Orchard; public-ws-policy@w3.org
>>Subject: Re: Ordering of Assertions: Comment on WS-Policy Primer LCWD
>>
>>Asir:
>>It is reductive to think of WS-Policy only in terms of its 
>>applicability to SOAP messages and headers.  It applies 
>>equally well to other message formats and, more importantly, 
>>can be used to control and configure many other aspects of 
>>web services.
>>
>>Ashok
>>
>>Asir Vedamuthu wrote:
>>
>>    
>>
>>>Thank you Dave for asking the right question and keeping the 
>>>      
>>>
>>discussion focused!
>>    
>>
>>>Replaying Dave's key question - when does the order of 
>>>      
>>>
>>assertions in a policy alternative matter? Reading through 
>>the mail archive (~19 mails), it appears that no one has 
>>answered your question with "real" assertions.
>>    
>>
>>>I want to be super clear on facts ...
>>>
>>>(a) Order of assertions in a policy alternative and order in 
>>>      
>>>
>>which behaviors are applied are TWO distinct concepts (let's 
>>not conflate them).
>>    
>>
>>>The former is governed by the WS-Policy Framework [1] - says 
>>>      
>>>
>>unordered.
>>    
>>
>>>The latter (order in which behaviors such as addressing, 
>>>      
>>>
>>security, reliability and transaction is applied) is governed 
>>by SOAP and SOAP-based protocols [2]. The order of headers 
>>and body processing is at the DISCRETION of the SOAP node and 
>>SOAP headers may be used to control the order of processing.
>>    
>>
>>>(b) Order of assertions in a policy alternative has NO 
>>>      
>>>
>>bearing on the order in which behaviors are applied [1].
>>    
>>
>>>(c) The WS-SecurityPolicy spec does NOT rely on the order of 
>>>      
>>>
>>assertions in a policy alternative [3].
>>    
>>
>>>(d) The WS-Security spec provides producers with an option 
>>>      
>>>
>>to use [encrypt, sign] or [sign, encrypt] [4]. The 
>>WS-SecurityPolicy spec provides assertions [5] to indicate 
>>the order of these cryptographic operations (runtime 
>>behavior) on a message.
>>    
>>
>>>Let's look at examples with "real" assertions. The order of 
>>>      
>>>
>>assertions in the following policies P1-P4 (and their nested 
>>policies) are different but the policies are effectively the SAME.
>>    
>>
>>>P1)
>>><Policy>
>>> <sp:AsymmetricBinding>
>>>   <Policy>
>>>    ...
>>>    <sp:IncludeTimestamp />
>>>    <sp:EncryptBeforeSigning />
>>>    <sp:EncryptSignature />
>>>    <sp:ProtectTokens />
>>>  </Policy>
>>> </sp:AsymmetricBinding>
>>> <wsam:Addressing>...</wsam:Addressing>
>>> ...
>>></Policy>
>>>
>>>P2)
>>><Policy>
>>> <wsam:Addressing>...</wsam:Addressing>
>>> <sp:AsymmetricBinding>
>>>   <Policy>
>>>    ...
>>>    <sp:IncludeTimestamp />
>>>    <sp:EncryptBeforeSigning />
>>>    <sp:EncryptSignature />
>>>    <sp:ProtectTokens />
>>>  </Policy>
>>> </sp:AsymmetricBinding>
>>> ...
>>></Policy>
>>>
>>>P3)
>>><Policy>
>>> <wsam:Addressing>...</wsam:Addressing>
>>> <sp:AsymmetricBinding>
>>>   <Policy>
>>>    ...
>>>    <sp:IncludeTimestamp />
>>>    <sp:EncryptSignature />
>>>    <sp:ProtectTokens />
>>>    <sp:EncryptBeforeSigning />
>>>  </Policy>
>>> </sp:AsymmetricBinding>
>>> ...
>>></Policy>
>>>
>>>P4)
>>><Policy>
>>> <wsam:Addressing>...</wsam:Addressing>
>>> <sp:AsymmetricBinding>
>>>   <Policy>
>>>    ...
>>>    <sp:EncryptBeforeSigning />
>>>    <sp:IncludeTimestamp />
>>>    <sp:EncryptSignature />
>>>    <sp:ProtectTokens />
>>>  </Policy>
>>> </sp:AsymmetricBinding>
>>> ...
>>></Policy>
>>>
>>>[1] 
>>>http://www.w3.org/TR/2007/REC-ws-policy-20070904/#rPolicy_Alternative
>>>[2] http://www.w3.org/TR/2003/REC-soap12-part1-20030624/#procsoapmsgs
>>>[3] 
>>>http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-
>>>      
>>>
>>securitypo
>>    
>>
>>>licy-1.2-spec-os.html#_Toc161826510
>>>[4] WS-Security 1.1 - see section 8, lines 1173-1183 - " 
>>>      
>>>
>>"Finally, if a producer wishes to sign a message before 
>>encryption, then following the ordering rules laid out in 
>>section 5, "Security Header", they SHOULD first prepend the 
>>signature element to the <wsse:Security> header, and then 
>>prepend the encryption element, ... Likewise, if a producer 
>>wishes to sign a message after encryption, they SHOULD first 
>>prepend the encryption element to the <wsse:Security> header, 
>>and then prepend the signature element." "
>>    
>>
>>>- 
>>>http://www.oasis-open.org/committees/download.php/16790/wss-v
>>>      
>>>
>>1.1-spec-o
>>    
>>
>>>s-SOAPMessageSecurity.pdf [5] 
>>>http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-
>>>      
>>>
>>securitypo
>>    
>>
>>>licy-1.2-spec-os.html#_Toc161826549
>>>
>>>Regards,
>>>
>>>Asir S Vedamuthu
>>>Microsoft Corporation
>>>
>>>
>>>-----Original Message-----
>>>From: public-ws-policy-request@w3.org 
>>>[mailto:public-ws-policy-request@w3.org] On Behalf Of David Orchard
>>>Sent: Thursday, October 11, 2007 1:59 PM
>>>To: ashok.malhotra@oracle.com
>>>Cc: public-ws-policy@w3.org
>>>Subject: RE: Ordering of Assertions: Comment on WS-Policy Primer LCWD
>>>
>>>
>>>I asked my question first, and it's up to you to prove that 
>>>      
>>>
>>work needs 
>>    
>>
>>>to be done, not the other way around.  That said, you don't seem to 
>>>have any intention of answering my question as you've decided to 
>>>respond to my question with a question.  I learned from "Rosencrantz 
>>>and Guildenstern are dead" not to play the question game.
>>>
>>>Cheers,
>>>Dave
>>>
>>> 
>>>
>>>      
>>>
>>>>-----Original Message-----
>>>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com]
>>>>Sent: Thursday, October 11, 2007 1:33 PM
>>>>To: David Orchard
>>>>Cc: public-ws-policy@w3.org
>>>>Subject: Re: Ordering of Assertions: Comment on WS-Policy 
>>>>        
>>>>
>>Primer LCWD
>>    
>>
>>>>David:
>>>>Please answer the question.  Is it your position that there are no 
>>>>Policies where the order in which the assertions within a Policy 
>>>>Alternative are applied is important?
>>>>
>>>>Ashok
>>>>
>>>>David Orchard wrote:
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>>>>I think the onus is on you to prove something, rather than
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>me to prove
>>>>   
>>>>
>>>>        
>>>>
>>>>>nothing, especially if you want the WG to do something.
>>>>>
>>>>>I know you are arguing that some policies need ordering.
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>I'm arguing
>>>>   
>>>>
>>>>        
>>>>
>>>>>you need to show some policies that need ordering.
>>>>>
>>>>>Cheers,
>>>>>Dave
>>>>>
>>>>>
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>>>-----Original Message-----
>>>>>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com]
>>>>>>Sent: Thursday, October 11, 2007 3:28 AM
>>>>>>To: David Orchard
>>>>>>Cc: public-ws-policy@w3.org
>>>>>>Subject: Re: Ordering of Assertions: Comment on WS-Policy
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>Primer LCWD
>>>>   
>>>>
>>>>        
>>>>
>>>>>>I'll make it still shorter:
>>>>>>
>>>>>>I'm arguing that SOME policies need ordering.  The Policy 
>>>>>>            
>>>>>>
>>Framework 
>>    
>>
>>>>>>says so and the fact the there are ordering assertions in WS 
>>>>>>SecurityPolicy confirms this.
>>>>>>
>>>>>>Are you arguing that NO policies need ordering?
>>>>>>
>>>>>>Ashok
>>>>>>
>>>>>>David Orchard wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>I'll make my note even shorter.
>>>>>>>
>>>>>>>What situations are those?
>>>>>>>
>>>>>>>For the 2nd time, you have failed to specify a single
>>>>>>>         
>>>>>>>
>>>>>>>              
>>>>>>>
>>>>situation that
>>>>   
>>>>
>>>>        
>>>>
>>>>>>>requires a change to WS-Policy.  You've described a problem that 
>>>>>>>already has a solution and quotes from other people but
>>>>>>>
>>>>>>>
>>>>>>>         
>>>>>>>
>>>>>>>              
>>>>>>>
>>>>>>those are not
>>>>>>
>>>>>>
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>answers to my question.
>>>>>>>
>>>>>>>In the absence of any real-world problem, the obvious thing for 
>>>>>>>WS-Policy WG to do is to close with no action.
>>>>>>>
>>>>>>>Cheers,
>>>>>>>Dave
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>         
>>>>>>>
>>>>>>>              
>>>>>>>
>>>>>>>>-----Original Message-----
>>>>>>>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com]
>>>>>>>>Sent: Wednesday, October 10, 2007 1:59 PM
>>>>>>>>To: David Orchard
>>>>>>>>Cc: public-ws-policy@w3.org
>>>>>>>>Subject: Re: Ordering of Assertions: Comment on WS-Policy
>>>>>>>>
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>Primer LCWD
>>>>>>
>>>>>>
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>>Hi Dave:
>>>>>>>>I used the fact that WS-SecurityPolicy discusses order to
>>>>>>>>
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>motivate the
>>>>>>
>>>>>>
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>>need for order in at least some policies.
>>>>>>>>I also quoted from the note from Tony Rogers.
>>>>>>>>
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>Subsequently, there was
>>>>>>
>>>>>>
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>>a note from Bob Natale who agrees that order is important
>>>>>>>>
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>but does not
>>>>>>
>>>>>>
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>>like the solution I suggested.
>>>>>>>>
>>>>>>>>What needs to be made clear is that order is not 
>>>>>>>>                
>>>>>>>>
>>important in all 
>>    
>>
>>>>>>>>policies, but there are situations where it is important
>>>>>>>>
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>and for these
>>>>>>
>>>>>>
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>>situations we need a solution.
>>>>>>>>
>>>>>>>>Ashok
>>>>>>>>
>>>>>>>>David Orchard wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>>>>-----Original Message-----
>>>>>>>>>>From: public-ws-policy-request@w3.org 
>>>>>>>>>>[mailto:public-ws-policy-request@w3.org] On Behalf Of
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>               
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>ashok malhotra
>>>>>>
>>>>>>
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>>>>Sent: Wednesday, October 10, 2007 9:56 AM
>>>>>>>>>>To: public-ws-policy@w3.org
>>>>>>>>>>Subject: Ordering of Assertions: Comment on WS-Policy
>>>>>>>>>>               
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>Primer LCWD
>>>>   
>>>>
>>>>        
>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>               
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>>>><snip/>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>             
>>>>>>>>>
>>>>>>>>>                  
>>>>>>>>>
>>>>>>>>>>In many cases the
>>>>>>>>>>order in which assertions are processed may not matter, but
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>               
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>>>where it
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>>>>does matter do we need to specify a special assertion for
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>               
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>>>every pair
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>>>>of assertions that need to be ordered? Clearly, this is not
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>               
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>>>feasible
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>>>>as the Policy processing engine will need to be undated
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>               
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>>>whenever a new
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>>>>ordering assertion is added. So, what we need is a
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>               
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>general-purpose
>>>>>>
>>>>>>
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>>>>ordering assertion.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>               
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>>>>Your note jumps from assumption to conclusion to design
>>>>>>>>>             
>>>>>>>>>
>>>>>>>>>                  
>>>>>>>>>
>>>>with great
>>>>   
>>>>
>>>>        
>>>>
>>>>>>>>>speed, indeed from assumption to conclusion within 3
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>             
>>>>>>>>>
>>>>>>>>>                  
>>>>>>>>>
>>>>>>>>sentences.  Those
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>>>3 fleety sentences do not answer my previous emails central
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>             
>>>>>>>>>
>>>>>>>>>                  
>>>>>>>>>
>>>>>>>>question of
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>>>"when does order matter?".  In case my question was
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>             
>>>>>>>>>
>>>>>>>>>                  
>>>>>>>>>
>>>>>>missed, perhaps
>>>>>>
>>>>>>
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>>>because of burdensom length of my previous message, I'll ask
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>             
>>>>>>>>>
>>>>>>>>>                  
>>>>>>>>>
>>>>>>>>again more
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>>>succinctly:
>>>>>>>>>
>>>>>>>>>When does order matter?
>>>>>>>>>
>>>>>>>>>Until the use case is agreed by the WG, design discussions
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>             
>>>>>>>>>
>>>>>>>>>                  
>>>>>>>>>
>>>>>>are very
>>>>>>
>>>>>>
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>>>premature IMHO.
>>>>>>>>>
>>>>>>>>>Cheers,
>>>>>>>>>Dave
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>             
>>>>>>>>>
>>>>>>>>>                  
>>>>>>>>>
>>>>>>>>--
>>>>>>>>All the best, Ashok
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>         
>>>>>>>
>>>>>>>              
>>>>>>>
>>>>>>--
>>>>>>All the best, Ashok
>>>>>>
>>>>>>
>>>>>>
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>--
>>>>All the best, Ashok
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>> 
>>>
>>>      
>>>
>>--
>>All the best, Ashok
>>
>>    
>>
>
>  
>


-- 
All the best, Ashok

Received on Monday, 15 October 2007 20:55:21 UTC