- From: David Orchard <dorchard@bea.com>
- Date: Mon, 15 Oct 2007 14:03:29 -0700
- To: <ashok.malhotra@oracle.com>
- Cc: "Asir Vedamuthu" <asirveda@microsoft.com>, <public-ws-policy@w3.org>
So some aspect of SCA is your use case? Cheers, Dave > -----Original Message----- > From: ashok malhotra [mailto:ashok.malhotra@oracle.com] > Sent: Monday, October 15, 2007 1:53 PM > To: David Orchard > Cc: Asir Vedamuthu; public-ws-policy@w3.org > Subject: Re: Ordering of Assertions: Comment on WS-Policy Primer LCWD > > Dave: > I don't know how closely you watch the SCA Policy work. SCA > uses Policy to match Services and References, modulo the > capabilities provided by the binding. It also uses it for > Authorization and for providing various sorts of runtime > configuration information. So, to say that WS-Policy is used > to manipulate SOAP messages is grossly underselling it. > Ashok > > > David Orchard wrote: > > >Reductive, but practical. I don't remember you or anybody else > >suggesting a review from a group that is doing non-SOAP messages and > >headers and using Policy as metadata. Somehow I'm thinking that we > >aren't going to get a flurry of comments from REST centric folks for > >what WS-Policy needs to do for them. > > > >Cheers, > >Dave > > > > > > > >>-----Original Message----- > >>From: ashok malhotra [mailto:ashok.malhotra@oracle.com] > >>Sent: Monday, October 15, 2007 7:31 AM > >>To: Asir Vedamuthu > >>Cc: David Orchard; public-ws-policy@w3.org > >>Subject: Re: Ordering of Assertions: Comment on WS-Policy > Primer LCWD > >> > >>Asir: > >>It is reductive to think of WS-Policy only in terms of its > >>applicability to SOAP messages and headers. It applies > equally well > >>to other message formats and, more importantly, can be used > to control > >>and configure many other aspects of web services. > >> > >>Ashok > >> > >>Asir Vedamuthu wrote: > >> > >> > >> > >>>Thank you Dave for asking the right question and keeping the > >>> > >>> > >>discussion focused! > >> > >> > >>>Replaying Dave's key question - when does the order of > >>> > >>> > >>assertions in a policy alternative matter? Reading through the mail > >>archive (~19 mails), it appears that no one has answered > your question > >>with "real" assertions. > >> > >> > >>>I want to be super clear on facts ... > >>> > >>>(a) Order of assertions in a policy alternative and order in > >>> > >>> > >>which behaviors are applied are TWO distinct concepts (let's not > >>conflate them). > >> > >> > >>>The former is governed by the WS-Policy Framework [1] - says > >>> > >>> > >>unordered. > >> > >> > >>>The latter (order in which behaviors such as addressing, > >>> > >>> > >>security, reliability and transaction is applied) is > governed by SOAP > >>and SOAP-based protocols [2]. The order of headers and body > processing > >>is at the DISCRETION of the SOAP node and SOAP headers may > be used to > >>control the order of processing. > >> > >> > >>>(b) Order of assertions in a policy alternative has NO > >>> > >>> > >>bearing on the order in which behaviors are applied [1]. > >> > >> > >>>(c) The WS-SecurityPolicy spec does NOT rely on the order of > >>> > >>> > >>assertions in a policy alternative [3]. > >> > >> > >>>(d) The WS-Security spec provides producers with an option > >>> > >>> > >>to use [encrypt, sign] or [sign, encrypt] [4]. The > WS-SecurityPolicy > >>spec provides assertions [5] to indicate the order of these > >>cryptographic operations (runtime > >>behavior) on a message. > >> > >> > >>>Let's look at examples with "real" assertions. The order of > >>> > >>> > >>assertions in the following policies P1-P4 (and their nested > >>policies) are different but the policies are effectively the SAME. > >> > >> > >>>P1) > >>><Policy> > >>> <sp:AsymmetricBinding> > >>> <Policy> > >>> ... > >>> <sp:IncludeTimestamp /> > >>> <sp:EncryptBeforeSigning /> > >>> <sp:EncryptSignature /> > >>> <sp:ProtectTokens /> > >>> </Policy> > >>> </sp:AsymmetricBinding> > >>> <wsam:Addressing>...</wsam:Addressing> > >>> ... > >>></Policy> > >>> > >>>P2) > >>><Policy> > >>> <wsam:Addressing>...</wsam:Addressing> > >>> <sp:AsymmetricBinding> > >>> <Policy> > >>> ... > >>> <sp:IncludeTimestamp /> > >>> <sp:EncryptBeforeSigning /> > >>> <sp:EncryptSignature /> > >>> <sp:ProtectTokens /> > >>> </Policy> > >>> </sp:AsymmetricBinding> > >>> ... > >>></Policy> > >>> > >>>P3) > >>><Policy> > >>> <wsam:Addressing>...</wsam:Addressing> > >>> <sp:AsymmetricBinding> > >>> <Policy> > >>> ... > >>> <sp:IncludeTimestamp /> > >>> <sp:EncryptSignature /> > >>> <sp:ProtectTokens /> > >>> <sp:EncryptBeforeSigning /> > >>> </Policy> > >>> </sp:AsymmetricBinding> > >>> ... > >>></Policy> > >>> > >>>P4) > >>><Policy> > >>> <wsam:Addressing>...</wsam:Addressing> > >>> <sp:AsymmetricBinding> > >>> <Policy> > >>> ... > >>> <sp:EncryptBeforeSigning /> > >>> <sp:IncludeTimestamp /> > >>> <sp:EncryptSignature /> > >>> <sp:ProtectTokens /> > >>> </Policy> > >>> </sp:AsymmetricBinding> > >>> ... > >>></Policy> > >>> > >>>[1] > >>>http://www.w3.org/TR/2007/REC-ws-policy-20070904/#rPolicy_A > lternative > >>>[2] > http://www.w3.org/TR/2003/REC-soap12-part1-20030624/#procsoapmsgs > >>>[3] > >>>http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws- > >>> > >>> > >>securitypo > >> > >> > >>>licy-1.2-spec-os.html#_Toc161826510 > >>>[4] WS-Security 1.1 - see section 8, lines 1173-1183 - " > >>> > >>> > >>"Finally, if a producer wishes to sign a message before encryption, > >>then following the ordering rules laid out in section 5, "Security > >>Header", they SHOULD first prepend the signature element to the > >><wsse:Security> header, and then prepend the encryption > element, ... > >>Likewise, if a producer wishes to sign a message after encryption, > >>they SHOULD first prepend the encryption element to the > >><wsse:Security> header, and then prepend the signature element." " > >> > >> > >>>- > >>>http://www.oasis-open.org/committees/download.php/16790/wss-v > >>> > >>> > >>1.1-spec-o > >> > >> > >>>s-SOAPMessageSecurity.pdf [5] > >>>http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws- > >>> > >>> > >>securitypo > >> > >> > >>>licy-1.2-spec-os.html#_Toc161826549 > >>> > >>>Regards, > >>> > >>>Asir S Vedamuthu > >>>Microsoft Corporation > >>> > >>> > >>>-----Original Message----- > >>>From: public-ws-policy-request@w3.org > >>>[mailto:public-ws-policy-request@w3.org] On Behalf Of David Orchard > >>>Sent: Thursday, October 11, 2007 1:59 PM > >>>To: ashok.malhotra@oracle.com > >>>Cc: public-ws-policy@w3.org > >>>Subject: RE: Ordering of Assertions: Comment on WS-Policy > Primer LCWD > >>> > >>> > >>>I asked my question first, and it's up to you to prove that > >>> > >>> > >>work needs > >> > >> > >>>to be done, not the other way around. That said, you > don't seem to > >>>have any intention of answering my question as you've decided to > >>>respond to my question with a question. I learned from > "Rosencrantz > >>>and Guildenstern are dead" not to play the question game. > >>> > >>>Cheers, > >>>Dave > >>> > >>> > >>> > >>> > >>> > >>>>-----Original Message----- > >>>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com] > >>>>Sent: Thursday, October 11, 2007 1:33 PM > >>>>To: David Orchard > >>>>Cc: public-ws-policy@w3.org > >>>>Subject: Re: Ordering of Assertions: Comment on WS-Policy > >>>> > >>>> > >>Primer LCWD > >> > >> > >>>>David: > >>>>Please answer the question. Is it your position that > there are no > >>>>Policies where the order in which the assertions within a Policy > >>>>Alternative are applied is important? > >>>> > >>>>Ashok > >>>> > >>>>David Orchard wrote: > >>>> > >>>> > >>>> > >>>> > >>>> > >>>>>I think the onus is on you to prove something, rather than > >>>>> > >>>>> > >>>>> > >>>>> > >>>>me to prove > >>>> > >>>> > >>>> > >>>> > >>>>>nothing, especially if you want the WG to do something. > >>>>> > >>>>>I know you are arguing that some policies need ordering. > >>>>> > >>>>> > >>>>> > >>>>> > >>>>I'm arguing > >>>> > >>>> > >>>> > >>>> > >>>>>you need to show some policies that need ordering. > >>>>> > >>>>>Cheers, > >>>>>Dave > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>-----Original Message----- > >>>>>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com] > >>>>>>Sent: Thursday, October 11, 2007 3:28 AM > >>>>>>To: David Orchard > >>>>>>Cc: public-ws-policy@w3.org > >>>>>>Subject: Re: Ordering of Assertions: Comment on WS-Policy > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>Primer LCWD > >>>> > >>>> > >>>> > >>>> > >>>>>>I'll make it still shorter: > >>>>>> > >>>>>>I'm arguing that SOME policies need ordering. The Policy > >>>>>> > >>>>>> > >>Framework > >> > >> > >>>>>>says so and the fact the there are ordering assertions in WS > >>>>>>SecurityPolicy confirms this. > >>>>>> > >>>>>>Are you arguing that NO policies need ordering? > >>>>>> > >>>>>>Ashok > >>>>>> > >>>>>>David Orchard wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>I'll make my note even shorter. > >>>>>>> > >>>>>>>What situations are those? > >>>>>>> > >>>>>>>For the 2nd time, you have failed to specify a single > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>situation that > >>>> > >>>> > >>>> > >>>> > >>>>>>>requires a change to WS-Policy. You've described a > problem that > >>>>>>>already has a solution and quotes from other people but > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>those are not > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>answers to my question. > >>>>>>> > >>>>>>>In the absence of any real-world problem, the obvious > thing for > >>>>>>>WS-Policy WG to do is to close with no action. > >>>>>>> > >>>>>>>Cheers, > >>>>>>>Dave > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>>-----Original Message----- > >>>>>>>>From: ashok malhotra [mailto:ashok.malhotra@oracle.com] > >>>>>>>>Sent: Wednesday, October 10, 2007 1:59 PM > >>>>>>>>To: David Orchard > >>>>>>>>Cc: public-ws-policy@w3.org > >>>>>>>>Subject: Re: Ordering of Assertions: Comment on WS-Policy > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>Primer LCWD > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>Hi Dave: > >>>>>>>>I used the fact that WS-SecurityPolicy discusses order to > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>motivate the > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>need for order in at least some policies. > >>>>>>>>I also quoted from the note from Tony Rogers. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>Subsequently, there was > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>a note from Bob Natale who agrees that order is important > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>but does not > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>like the solution I suggested. > >>>>>>>> > >>>>>>>>What needs to be made clear is that order is not > >>>>>>>> > >>>>>>>> > >>important in all > >> > >> > >>>>>>>>policies, but there are situations where it is important > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>and for these > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>situations we need a solution. > >>>>>>>> > >>>>>>>>Ashok > >>>>>>>> > >>>>>>>>David Orchard wrote: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>-----Original Message----- > >>>>>>>>>>From: public-ws-policy-request@w3.org > >>>>>>>>>>[mailto:public-ws-policy-request@w3.org] On Behalf Of > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>ashok malhotra > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>>Sent: Wednesday, October 10, 2007 9:56 AM > >>>>>>>>>>To: public-ws-policy@w3.org > >>>>>>>>>>Subject: Ordering of Assertions: Comment on WS-Policy > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>Primer LCWD > >>>> > >>>> > >>>> > >>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>><snip/> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>>In many cases the > >>>>>>>>>>order in which assertions are processed may not matter, but > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>where it > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>does matter do we need to specify a special assertion for > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>every pair > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>of assertions that need to be ordered? Clearly, this is not > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>feasible > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>as the Policy processing engine will need to be undated > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>whenever a new > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>ordering assertion is added. So, what we need is a > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>general-purpose > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>>ordering assertion. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>Your note jumps from assumption to conclusion to design > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>with great > >>>> > >>>> > >>>> > >>>> > >>>>>>>>>speed, indeed from assumption to conclusion within 3 > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>sentences. Those > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>3 fleety sentences do not answer my previous emails central > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>question of > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>"when does order matter?". In case my question was > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>missed, perhaps > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>because of burdensom length of my previous message, I'll ask > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>again more > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>succinctly: > >>>>>>>>> > >>>>>>>>>When does order matter? > >>>>>>>>> > >>>>>>>>>Until the use case is agreed by the WG, design discussions > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>are very > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>premature IMHO. > >>>>>>>>> > >>>>>>>>>Cheers, > >>>>>>>>>Dave > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>-- > >>>>>>>>All the best, Ashok > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>-- > >>>>>>All the best, Ashok > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>-- > >>>>All the best, Ashok > >>>> > >>>> > >>>> > >>>> > >>>> > >>> > >>> > >>> > >>> > >>-- > >>All the best, Ashok > >> > >> > >> > > > > > > > > > -- > All the best, Ashok >
Received on Monday, 15 October 2007 21:04:09 UTC