- From: David Hull <dmh@tibco.com>
- Date: Wed, 15 Nov 2006 15:07:12 -0500
- To: "xml-dist-app@w3.org" <xml-dist-app@w3.org>
- Message-id: <455B7370.3020006@tibco.com>
Here is an example of layering bindings of the one-way MEP to produce useful behavior. The layering is simple: Layer fan-out over secure encryption over a transport binding. The explanation of how it works and what it means in terms of the SOAP model is verbose, but not complex. It's just plug-and-chug with the same basic concepts over and over. That gives me good confidence that it can be realized using software. My major takeaway from this: Intermediaries and the SOAP processing model can provide layering. ------------------------------------------------------------------------ In the model we've been discussing, a sender of a one-way message essentially hands (destination, message) to a binding supporting the one-way MEP. The binding is responsible for delivering the message to zero or more receivers. Delivering essentially means populating (sender, message) at the receiver, where the message at the receiver must be identical to the message at the sender. Otherwise there is a failure, which may even be reported. From the point of view of the SOAP processing model, there is a separate message path from the sender to each receiver. The binding may provide further information about the nature of said paths. Suppose a sender wishes to send a message to some distribution list. As a quality-of-service parameter, it wants to ensure that the message is encrypted according the the requirements of the receivers. These requirements may differ from receiver to receiver. There are several ways to accomplish this. Here is one, chosen for illustrative purposes. It requires the following bindings of the one-way MEP: * One or more transport bindings. These take a SOAP message and a destination, render it onto the wire, deliver it and recover the SOAP infoset at the receiving end. For each receiver, there is a single-hop message path from the sender, with no intermediaries. * An secure binding. This binding requires a set of encryption parameters (algorithm, key, etc.) and makes use of an underlying non-secure binding, which must support the one-way MEP. The set of the receivers is the same as for the underlying binding (for the sake of this example we can assume the underlying binding is unicast, though it need not be). For each receiver, the message path consists of o A one-way from the sender to an encrypting intermediary. This intermediary produces, according to the parameters it was given, an encrypted SOAP message from the plaintext SOAP message (i.e., some of the headers of the encrypted message may be readable, but the bulk will be gibberish). o A one-way using the underlying binding, from the encrypting intermediary to a decrypting intermediary, which produces a plaintext SOAP message from the encrypted one. Decryption must be the inverse of encryption. That is, this process must reproduce the original message. o A one-way from the decrypting intermediary to the receiver. o As decryption is the inverse of encryption, this chain satisfies the MEP requirement that the received message be identical to the sent message. * NOTE: If the underlying binding supports multicast, each receiver will (by definition) receive an identical encrypted message in the middle hop. To provide per-receiver parameters, we need ... * A fan-out binding. This binding makes use of one or more underlying bindings, which must support the one-way MEP. The set of receivers is the union of those for the destinations found in the fan-out process (again for the sake of the example, we can assume that this underlying bindings are unicast, though again they need not be). For each receiver, the message path consists of o A one-way from the sender to a fan-out intermediary. This intermediary takes (destination_1 , message) and from the destination_1 determines a set of (destination_2 , binding) pairs. o A one-way from the intermediary to the receiver, using the binding determined for that receiver's destination_2 . The message for this hop is identical to the message for the first hop, ensuring identity from sender to receiver. * For purely technical reasons, a "no-op" binding which just forwards (destination, message) to the next hop. The set of receivers contains (only) the sender for the next hop. Putting it together: The sender sends a message using the fan-out binding to a multicast destination. The intermediary in the fan-out binding must know the actual receivers (or more accurately, what destination_2 addresses to use to reach them), and the encryption parameters for each (that is, for each destination_2 ). Note that /someone/ at the sending end has to know this information. The binding for each destination_2 is the secure binding with the given parameters. The underlying binding for the secure binding is the actual transport binding for reaching that destination. The receivers will be using the same encrypted binding in the same way. Again, note that the receivers have to know to decrypt, so again this is not an additional requirement. This implements a "secure multicast" binding of the one-way MEP using the bindings above. The set of receivers is the union of the receivers for each destination_2 in the fan-out. For each receiver, the full message path consists of 1. A one-way from the sender to the fan-out. 2. A one-way from the fan-out to the encrypting intermediary 3. A one-way from the encrypting intermediary to the decrypting intermediary 4. A one-way from the decrypting intermediary to the receiver. As we are implementing the one-way MEP we have to assure ourselves that the message received is the same as the message sent. This is straightforward: * Steps 1, 2 and 4 use the no-op binding, which works by definition. * Step 3 uses a transport binding, which works by construction. * Steps 2, 3 and 4 together constitute a one-way under the secure binding, which works because decryption is the inverse of encryption (and because step 3 works, and because equality is transitive). * Steps 1 through 4 together constitute a one-way because 1 does and steps 2 through 4 together do (and because equality is transitive).
Received on Wednesday, 15 November 2006 20:07:31 UTC