- From: David Orchard <dorchard@bea.com>
- Date: Sun, 17 Nov 2002 19:43:58 -0800
- To: "'Rich Salz'" <rsalz@datapower.com>
- Cc: <wss@lists.oasis-open.org>, <www-ws-arch@w3.org>
Hi Rich, Apologies for my delay, it's been a crazy few weeks of meetings. I think the issue around WSDL is that it is possible to have many different ways of expressing the requirements on the header. And it would be good have a clean and interoperable way of expressing these. WSDL 1.1 and 1.2 provide frameworks for extension to specify required headers. Clearly wsdl WG won't define specific extensions for various header blocks, so this discussion is orthogonal to wsdl wg's work. Currently, the ws-security header element is fairly generic. It's really the contents of the header that a service will be interested in specifying. For example, a service could say that message integrity is required. I'll avoid for the purposes of this discussion about the extent of the potential properties that might also be required, such as CA, particular type of c14n, etc. So how does an application specify that message integrity is required? Simply saying the header is required probably does very little for interop. And now for my $.02 worth of some similar context. SAML went through a similar issue, which was how does one query for a particular type of assertion data. There was movement away from generic assertion to strongly typed assertions specifically because of the difficulty in writing interoperable constructs(queries) that specify the response data, including types. WS-Security without WSDL is akin to SAML Assertions without SAML queries. There would be no way of having SAML interop without SAML Queries - simply saying that SAML should define assertions wasn't nearly sufficient. I know the analogy isn't perfect, but it shows a similar relationship. I personally foresee similar kinds of difficulties in defining requirements on ws-security content for a service. The ability to clearly specify the data requirements for ws-security header element in a WSDL document is crucial for real interop, and particularly interop without some kind of private agreement. And it seems that defining the WSDL extensions for ws-security is better done in the oasis ws-security tc, rather than somewhere else like ws-i. Cheers, Dave > -----Original Message----- > From: Rich Salz [mailto:rsalz@datapower.com] > Sent: Monday, November 11, 2002 7:01 PM > To: David Orchard > Cc: wss@lists.oasis-open.org; www-ws-arch@w3.org > Subject: Re: [wss] Issue on WS-Security and WSDL definitions > > > Dave, > > I'm not current on WSDL 1.2, but can you explain a bit how WSDL fits > in here? It seems to me that a stand-alone specification should just > define the semantics of its elements. If an application wants those > semantics, then the application WSDL should specify the header as > being required. > > What am I missing? > /r$ > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
Received on Sunday, 17 November 2002 22:44:45 UTC