OASIS ebXML Messaging Services TC

  • 1.  Message authorization in conf profiles

    Posted 10-29-2008 00:55
    
    
    
    
    
    Should we be more explicit about the level of support expected for message authorization, as discussed in AS4 SC:
     
     The Gateway conf profiles say:
    • Support for message authorization at P-Mode level (see 7.10 in [ebMS3]) using wsse:UsernameToken profile, in particular authorization of the Pull signal for a particular MPC.

    Should we say instead:

    Support for message authorization at P-Mode level (see 7.10 in [ebMS3]) using wsse:UsernameToken profile. Authorization of the Pull signal - for a particular MPC - must be supported at minimum.

     

    Jacques



  • 2.  RE: [ebxml-msg] Message authorization in conf profiles

    Posted 10-29-2008 01:10
    
    
    
    
    
    Hi Jacques,
     
    I think it's better to be more specific and go with the sentence at the end that indicates Authorization for the pull signal must be supported.
     
    It would be a huge security risk to allow non-authenticated pull signals, so this should be mandatory.
     
    As we discussed, X.509 cert authentication should also be available as an option to username/password authentication.
     
    Best Regards,
     
    John


    From: Durand, Jacques R. [mailto:JDurand@us.fujitsu.com]
    Sent: Tuesday, October 28, 2008 5:59 PM
    To: ebxml-msg@lists.oasis-open.org
    Subject: [ebxml-msg] Message authorization in conf profiles

    Should we be more explicit about the level of support expected for message authorization, as discussed in AS4 SC:
     
     The Gateway conf profiles say:
    • Support for message authorization at P-Mode level (see 7.10 in [ebMS3]) using wsse:UsernameToken profile, in particular authorization of the Pull signal for a particular MPC.

    Should we say instead:

    Support for message authorization at P-Mode level (see 7.10 in [ebMS3]) using wsse:UsernameToken profile. Authorization of the Pull signal - for a particular MPC - must be supported at minimum.

     

    Jacques



  • 3.  RE: [ebxml-msg] Message authorization in conf profiles

    Posted 10-29-2008 22:49
    
    
    
    
    
    John:
     
    Yes it was always the intent to require support for -at least - PullRequest authorization.
    So we'll make that more explicit.
    What was not so clear was whether support for authorization of other kinds of messages was to be mandatory too, in an implementation. (e.g. some User messages could be "authorized" for some Service/Action, and not for others).
    The proposed rewording will NOT make authorization beyond PullRequest mandatory in the conf profile (although an implementation may decide to support this in extra).
     
    >As we discussed, X.509 cert authentication should also be available as an option to username/password authentication.
     
    So there are two ways to deal with this in AS4 (only the first one is an option for the other ebMS3 Conformance Profiles):
     
    (a)  If it really has to be optional *in AS4 implementations*, then do not mention this in the AS4 profile: the conformance profile only makes a statement on what minimal capability must be supported by a conforming implementation - here username/password authentication. You can always support X.509 on top of this, and you can always decide to use it with your partner.
     
    (b)  If we want AS4 implementations to always allow for this (so its just a matter of configuration for users to decide to use it or not), then In AS4 we can add this to the new "additional features" section. Meaning as an implementation conforming to AS4 it must support it.
     
    So we'll have to decide in AS4 about (a) or (b).
     
    Regards,
    Jacques


    From: John Voss (jovoss) [mailto:jovoss@cisco.com]
    Sent: Tuesday, October 28, 2008 6:14 PM
    To: Durand, Jacques R.; ebxml-msg@lists.oasis-open.org
    Subject: RE: [ebxml-msg] Message authorization in conf profiles

    Hi Jacques,
     
    I think it's better to be more specific and go with the sentence at the end that indicates Authorization for the pull signal must be supported.
     
    It would be a huge security risk to allow non-authenticated pull signals, so this should be mandatory.
     
    As we discussed, X.509 cert authentication should also be available as an option to username/password authentication.
     
    Best Regards,
     
    John


    From: Durand, Jacques R. [mailto:JDurand@us.fujitsu.com]
    Sent: Tuesday, October 28, 2008 5:59 PM
    To: ebxml-msg@lists.oasis-open.org
    Subject: [ebxml-msg] Message authorization in conf profiles

    Should we be more explicit about the level of support expected for message authorization, as discussed in AS4 SC:
     
     The Gateway conf profiles say:
    • Support for message authorization at P-Mode level (see 7.10 in [ebMS3]) using wsse:UsernameToken profile, in particular authorization of the Pull signal for a particular MPC.

    Should we say instead:

    Support for message authorization at P-Mode level (see 7.10 in [ebMS3]) using wsse:UsernameToken profile. Authorization of the Pull signal - for a particular MPC - must be supported at minimum.

     

    Jacques



  • 4.  Re: [ebxml-msg] Message authorization in conf profiles

    Posted 11-03-2008 18:18
    
    
      
    
    
    We'll follow up with this on
    today's AS4 conference call.

    Durand, Jacques R. wrote:
    0D4373E9E1236F42AB63FD6B5B306AA39C0F82@SV-EXCHANGE.fjcs.net" type="cite">
    John:
     
    Yes it was always the intent to require support for -at least - PullRequest authorization.
    So we'll make that more explicit.
    What was not so clear was whether support for authorization of other kinds of messages was to be mandatory too, in an implementation. (e.g. some User messages could be "authorized" for some Service/Action, and not for others).
    The proposed rewording will NOT make authorization beyond PullRequest mandatory in the conf profile (although an implementation may decide to support this in extra).
     
    >As we discussed, X.509 cert authentication should also be available as an option to username/password authentication.
     
    So there are two ways to deal with this in AS4 (only the first one is an option for the other ebMS3 Conformance Profiles):
     
    (a)  If it really has to be optional *in AS4 implementations*, then do not mention this in the AS4 profile: the conformance profile only makes a statement on what minimal capability must be supported by a conforming implementation - here username/password authentication. You can always support X.509 on top of this, and you can always decide to use it with your partner.
     
    (b)  If we want AS4 implementations to always allow for this (so its just a matter of configuration for users to decide to use it or not), then In AS4 we can add this to the new "additional features" section. Meaning as an implementation conforming to AS4 it must support it.
     
    So we'll have to decide in AS4 about (a) or (b).
     
    Regards,
    Jacques


    From: John Voss (jovoss) [mailto:jovoss@cisco.com]
    Sent: Tuesday, October 28, 2008 6:14 PM
    To: Durand, Jacques R.; ebxml-msg@lists.oasis-open.org
    Subject: RE: [ebxml-msg] Message authorization in conf profiles

    Hi Jacques,
     
    I think it's better to be more specific and go with the sentence at the end that indicates Authorization for the pull signal must be supported.
     
    It would be a huge security risk to allow non-authenticated pull signals, so this should be mandatory.
     
    As we discussed, X.509 cert authentication should also be available as an option to username/password authentication.
     
    Best Regards,
     
    John


    From: Durand, Jacques R. [mailto:JDurand@us.fujitsu.com]
    Sent: Tuesday, October 28, 2008 5:59 PM
    To: ebxml-msg@lists.oasis-open.org
    Subject: [ebxml-msg] Message authorization in conf profiles

    Should we be more explicit about the level of support expected for message authorization, as discussed in AS4 SC:
     
     The Gateway conf profiles say:
    • Support for message authorization at P-Mode level (see 7.10 in [ebMS3]) using wsse:UsernameToken profile, in particular authorization of the Pull signal for a particular MPC.

    Should we say instead:

    Support for message authorization at P-Mode level (see 7.10 in [ebMS3]) using wsse:UsernameToken profile. Authorization of the Pull signal - for a particular MPC - must be supported at minimum.

     

    Jacques



  • 5.  RE: [ebxml-msg] Message authorization in conf profiles

    Posted 11-03-2008 21:57
    
    
    
    
    
    
    
    
    
    
    

    So there are two ways to deal with this in AS4 (only the first one is an option for the other ebMS3 Conformance Profiles):

     

    (a)  If it really has to be optional *in AS4 implementations*, then do not mention this in the AS4 profile: the conformance profile only makes a statement on what minimal capability must be supported by a conforming implementation - here username/password authentication. You can always support X.509 on top of this, and you can always decide to use it with your partner.

     

    (b)  If we want AS4 implementations to always allow for this (so its just a matter of configuration for users to decide to use it or not), then In AS4 we can add this to the new "additional features" section. Meaning as an implementation conforming to AS4 it must support it.

    I would vote for (b) – must implement.

    --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php