John:
Yes it was always the intent to require support for -at
least - PullRequest authorization.
So we'll make that more explicit.
What was not so clear was whether support for authorization
of other kinds of messages was to be mandatory too, in an implementation. (e.g.
some User messages could be "authorized" for some Service/Action, and not for
others).
The proposed rewording will NOT make authorization beyond
PullRequest mandatory in the conf profile (although an implementation may decide
to support this in extra).
>As we discussed, X.509 cert
authentication should also be available as an option to username/password
authentication.
So there are two ways
to deal with this in AS4 (only the first one is an option for the other ebMS3
Conformance Profiles):
(a) If it
really has to be optional *in AS4 implementations*, then do not mention this in
the AS4 profile: the conformance profile only makes a statement on what minimal
capability must be supported by a conforming implementation - here
username/password authentication. You can always support X.509 on top of this,
and you can always decide to use it with your
partner.
(b) If we want AS4 implementations to always
allow for this (so its just a matter of configuration for users to decide to use
it or not), then In AS4 we can add this to the new "additional features"
section. Meaning as an implementation conforming to AS4 it must support
it.
So we'll have to decide in AS4 about (a) or
(b).
Regards,
Jacques
Hi Jacques,
I think it's better to be more specific and go with the
sentence at the end that indicates Authorization for the pull signal must be
supported.
It would be a huge security risk to allow non-authenticated
pull signals, so this should be mandatory.
As we discussed, X.509 cert authentication should also be
available as an option to username/password authentication.
Best Regards,
John
Should we be more
explicit about the level of support expected for message authorization, as
discussed in AS4 SC:
The Gateway conf
profiles say:
Should we say instead:
Support for message authorization
at P-Mode level (see 7.10 in [ebMS3]) using wsse:UsernameToken profile. Authorization of the Pull signal - for a particular MPC - must be
supported at minimum.
Jacques