- From: Doug Davis <dug@us.ibm.com>
- Date: Mon, 26 Oct 2009 10:51:29 -0400
- To: "Chou, Wu (Wu)" <wuchou@avaya.com>
- Cc: "Bob Freund" <bob.freund@hitachisoftware.com>, "Li, Li (Li)" <lli5@avaya.com>, public-ws-resource-access@w3.org
- Message-ID: <OF05B27EBA.C4F6F3AB-ON8525765B.005093F3-8525765B.00519EEE@us.ibm.com>
Wu, could you elaborate a bit on your thinking here. If we went with the 2nd option (which seemed to be preferred on the call): A Web service that accepts requests to create subscriptions for a certain set of notification that might be generated. what woud need to change in your implementation or what would break in any existing implementation? Also, your point #3 actually might not be true. If WS-Eventing doesn't define an Event Source to allow for other components (anything other than the _one_ event source) to send Notifications then an extension spec can't do it either since it would be contradicting the base spec. As it currently stands we have an inconsistency in the spec - if Event Sources are the only things that can send Notifications, then when we use a pull-style model we're broken because in those cases the Subscription Manager is the one that sends the Notifications. I don't think the above proposal would break anyone, nor even require a coding change. Rather its just an admission that our WS-* specs only control what goes on the wire and we can't control what happens behind the scenes. How people choose to implement this stuff is up to them. For example, there is nothing inWS-Addressing that requires the sender of an async response to be the same entity as the one that received the request and this is no different. Do we really need to say that the entity that sends the SubscribeResponse MUST be the same one the receives the SubscribeRequest? And what does "same one" mean? In a clustered environment things get a bit complicated. thanks -Doug ______________________________________________________ STSM | Standards Architect | IBM Software Group (919) 254-6905 | IBM 444-6905 | dug@us.ibm.com The more I'm around some people, the more I like my dog. "Chou, Wu (Wu)" <wuchou@avaya.com> Sent by: public-ws-resource-access-request@w3.org 10/26/2009 10:23 AM To "Bob Freund" <bob.freund@hitachisoftware.com>, <public-ws-resource-access@w3.org>, <public-ws-resource-access-request@w3.org> cc "Li, Li (Li)" <lli5@avaya.com> Subject Issue 7970 Bob, We see some problems with issue 7970 [1] and we share our thoughts below. 1) Current WS-Eventing is based on a set of well-defined web services (source, sink, subscriber and subscription manager). If there is some entity that interacts with WS-Eventing services, it should be either defined in the spec, or it should be out of scope. This proposal involves interactions with some entity whose behavior is not defined in the spec. 2) By allowing an unknown third-party (instead of event source) to send notifications to event sink complicates security checks against attacks to the event sink. For example, IP blocking would not work since the true notification senders are unknown, even after the subscription. 3) Current WS-Eventing architecture can handle this use case by having the event source forward notifications (from other senders) to the sinks. Therefore, alternative approaches should be treated as extensions. Thanks, - Wu Chou/Li Li, [1] http://www.w3.org/Bugs/Public/show_bug.cgi?id=7970
Received on Monday, 26 October 2009 14:54:43 UTC