OASIS ebXML Messaging Services TC

  • 1.  RE: [ebxml-msg] Some suggestions regarding default security settings in ebMS 3.0

    Posted 02-14-2007 01:02
    Sacha:
    
    If we are absolutely confident that no use case that requires a
    different security order is worth supporting, then the expected order
    can be required as in ebMS2.
    
    Otherwise, it seems to me that could be handled in the "gateway"
    conformance profile - i.e. this profile would require support for a
    particular order of security operations.
    
    Although conformance profiles are not defined in the main spec, it is
    assumed you and partners need to agree on one in order to get
    interoperability. The "gateway" conf profile is supposed to be the
    baseline for eB/eG exchanges.
    
    If we consider this is something variable enough to be a P-Mode
    parameter (i.e. subject to agreement at deployment time, not just at
    development time) then the gateway conformance profile could require
    this parameter to have the value specifying the desired order. So every
    P-Mode derived for the gateway profile would specify this order, even if
    the implementation can support other orders.
    
    To summarize: such a requirement could appear at 3 levels (from the most
    inflexible to the most flexible):
    (a) core spec (like in V2)
    (b) conformance profile
    (c) P-Mode parameter and value.
    
    My hunch is that (b) or (b)+(c) could be appropriate.
    
    Jacques
    
    


  • 2.  RE: [ebxml-msg] Some suggestions regarding default securitysettings in ebMS 3.0

    Posted 02-15-2007 07:54
    Hi Jacques
    
    Am Dienstag, den 13.02.2007, 16:46 -0800 schrieb Durand, Jacques R.:
    > Sacha:
    > 
    > If we are absolutely confident that no use case that requires a
    > different security order is worth supporting, then the expected order
    > can be required as in ebMS2.
    
    I mixed them up in my email as Dale pointed out. So for the records:
    
    As noted in Note in section 4.1.4.5 in ebMS 2.0 sign first then encrypt.
    
    > 
    > Otherwise, it seems to me that could be handled in the "gateway"
    > conformance profile - i.e. this profile would require support for a
    > particular order of security operations.
    > 
    > Although conformance profiles are not defined in the main spec, it is
    > assumed you and partners need to agree on one in order to get
    > interoperability. The "gateway" conf profile is supposed to be the
    > baseline for eB/eG exchanges.
    
    Will these conformance profiles have standardised forms or structures or
    unique ways to reference them? Are they part of ebXML MS or ebXML IIC
    TC? 
    
    Would you think that theses conformance profiles will then be referenced
    in the ebXML CPA?
    
    In the ebXML CPA team of course we want to have everything ready once we
    come to a final ebXML CPA. The idea being that we only need to agree on
    the values we put in the ebXML CPA (which can include to set the
    conformance profile) and than there is no need to later have yet another
    agreement (discussion, email exchange or any other form of
    collaboration) to achieve interoperability.
    
    > 
    > If we consider this is something variable enough to be a P-Mode
    > parameter (i.e. subject to agreement at deployment time, not just at
    > development time) then the gateway conformance profile could require
    > this parameter to have the value specifying the desired order. So every
    > P-Mode derived for the gateway profile would specify this order, even if
    > the implementation can support other orders.
    > 
    > To summarize: such a requirement could appear at 3 levels (from the most
    > inflexible to the most flexible):
    > (a) core spec (like in V2)
    > (b) conformance profile
    > (c) P-Mode parameter and value.
    > 
    > My hunch is that (b) or (b)+(c) could be appropriate.
    > 
    
    The way I understood the ebXML CPA phone conference call where these
    questions were raised was if I want to use ebMS 3.0 and ebXML CPA 3.0
    must an application supporting both implement yet another WS-*
    specification (I think WS Policy was referenced) or can we have all ebMS
    3.0 configurations done in plain ebXML CPA.
    
    So, Dale Monica please help out if I miss the point here. I think as
    long as these configurations values can be configured without the
    absolute need to have another WS-* spec implemented (Monicas concern was
    as, far as I understand, that that requirement could have further
    consequences, eg if you have to implement WS-A for the configuration
    only then you naturally would also need implement WS-B, WS-C etc, Monica
    maybe you clarify again) then for the ebXML CPA people that would be OK
    and it is the ebXML MS people task to find the right place to place
    those settings.
    
    Sorry I do not know about the P-Modes enough but your hunch is that they
    would not be in the spec.
    
    Hope this makes sense and sorry that I did not keep up with ebMS 3.0
    specs.
    
    Sacha
    
    > Jacques
    > 
    > 


  • 3.  RE: [ebxml-msg] Some suggestions regarding default securitysettings in ebMS 3.0

    Posted 02-15-2007 17:25
     
    I think several features need to be added to deal with CPP and CPA
    support for ebMS 3.0
    
    1. The MPF URI value to be used in "pull" mode.
    2. Some changes in Transport to allow "pull" mode.
    3. A place for the ebMS MEP value.
    4. Probably some place to indicate the conformance profiles that are
    supported for a DeliveryChannel.
    5. Depending on conformance profile, possible other values TBD.
    
    I think all of these matters remain to be resolved in the CPPA TC
    meetings this month and in March.
    
    The role of WS-Policy is tricky. Some aspects of WSS (used in ebMS 3.0)
    have domain policy assertions defined. Some aspects of WS-RX may have
    domain policy assertions. 
    
    Use of these policy assertions to express policy alternatives for ebMS
    may have the advantage (in some cases) of not having to invent something
    new.
    However, where we already have enumerated values (such as for algorithms
    and strengths), domain policy is redundant (and a bit verbose also!).
    
    So we need to continue these discussions in CPPA. I think one main issue
    is how to handle ebMS configuration for explicit enumeration of the
    parts/elements/attachments to be signed or encrypted. In CPPA 2.0 we had
    the following mechanism in Packaging:
    
    	
    
    Notice that we had an optional attribute called "excludedFromSignature"
    and we also had a way to indicate both Encryption and Signature
    Transforms.
    
    What we do not have is a way to indicate specific elements to be signed,
    specific SOAP headers to be signed, SOAP headers to be encrypted, and a
    few more features. 
    
    We could also add and enhance this Packaging component of CPP/CPA. This
    would allow ebMS configuration without "requiring" WS-Policy processing
    capabilities (such as those found in the Apache project Neethi.)
    (Actually it has always been implementation dependent just what matching
    capability processing features are needed as part of the CPP to CPA
    formation and negotiation processes.)
    
    We have not yet considered this option so there is more to take up in
    CPPA before the choices have all been presented and their tradeoffs
    discussed.
    
    Dale Moberg
    
    
    
    
    > Otherwise, it seems to me that could be handled in the "gateway"
    > conformance profile - i.e. this profile would require support for a
    > particular order of security operations.
    > 
    > Although conformance profiles are not defined in the main spec, it is
    > assumed you and partners need to agree on one in order to get
    > interoperability. The "gateway" conf profile is supposed to be the
    > baseline for eB/eG exchanges.
    
    Will these conformance profiles have standardised forms or structures or
    unique ways to reference them? Are they part of ebXML MS or ebXML IIC
    TC? 
    
    Would you think that theses conformance profiles will then be referenced
    in the ebXML CPA?
    
    In the ebXML CPA team of course we want to have everything ready once we
    come to a final ebXML CPA. The idea being that we only need to agree on
    the values we put in the ebXML CPA (which can include to set the
    conformance profile) and than there is no need to later have yet another
    agreement (discussion, email exchange or any other form of
    collaboration) to achieve interoperability.
    
    > 
    > If we consider this is something variable enough to be a P-Mode
    > parameter (i.e. subject to agreement at deployment time, not just at
    > development time) then the gateway conformance profile could require
    > this parameter to have the value specifying the desired order. So
    every
    > P-Mode derived for the gateway profile would specify this order, even
    if
    > the implementation can support other orders.
    > 
    > To summarize: such a requirement could appear at 3 levels (from the
    most
    > inflexible to the most flexible):
    > (a) core spec (like in V2)
    > (b) conformance profile
    > (c) P-Mode parameter and value.
    > 
    > My hunch is that (b) or (b)+(c) could be appropriate.
    > 
    
    The way I understood the ebXML CPA phone conference call where these
    questions were raised was if I want to use ebMS 3.0 and ebXML CPA 3.0
    must an application supporting both implement yet another WS-*
    specification (I think WS Policy was referenced) or can we have all ebMS
    3.0 configurations done in plain ebXML CPA.
    
    So, Dale Monica please help out if I miss the point here. I think as
    long as these configurations values can be configured without the
    absolute need to have another WS-* spec implemented (Monicas concern was
    as, far as I understand, that that requirement could have further
    consequences, eg if you have to implement WS-A for the configuration
    only then you naturally would also need implement WS-B, WS-C etc, Monica
    maybe you clarify again) then for the ebXML CPA people that would be OK
    and it is the ebXML MS people task to find the right place to place
    those settings.
    
    Sorry I do not know about the P-Modes enough but your hunch is that they
    would not be in the spec.
    
    Hope this makes sense and sorry that I did not keep up with ebMS 3.0
    specs.
    
    Sacha
    
    > Jacques
    > 
    > 


  • 4.  RE: [ebxml-msg] Some suggestions regarding default securitysettings in ebMS 3.0

    Posted 02-15-2007 17:25
     
    I think several features need to be added to deal with CPP and CPA
    support for ebMS 3.0
    
    1. The MPF URI value to be used in "pull" mode.
    2. Some changes in Transport to allow "pull" mode.
    3. A place for the ebMS MEP value.
    4. Probably some place to indicate the conformance profiles that are
    supported for a DeliveryChannel.
    5. Depending on conformance profile, possible other values TBD.
    
    I think all of these matters remain to be resolved in the CPPA TC
    meetings this month and in March.
    
    The role of WS-Policy is tricky. Some aspects of WSS (used in ebMS 3.0)
    have domain policy assertions defined. Some aspects of WS-RX may have
    domain policy assertions. 
    
    Use of these policy assertions to express policy alternatives for ebMS
    may have the advantage (in some cases) of not having to invent something
    new.
    However, where we already have enumerated values (such as for algorithms
    and strengths), domain policy is redundant (and a bit verbose also!).
    
    So we need to continue these discussions in CPPA. I think one main issue
    is how to handle ebMS configuration for explicit enumeration of the
    parts/elements/attachments to be signed or encrypted. In CPPA 2.0 we had
    the following mechanism in Packaging:
    
    	
    
    Notice that we had an optional attribute called "excludedFromSignature"
    and we also had a way to indicate both Encryption and Signature
    Transforms.
    
    What we do not have is a way to indicate specific elements to be signed,
    specific SOAP headers to be signed, SOAP headers to be encrypted, and a
    few more features. 
    
    We could also add and enhance this Packaging component of CPP/CPA. This
    would allow ebMS configuration without "requiring" WS-Policy processing
    capabilities (such as those found in the Apache project Neethi.)
    (Actually it has always been implementation dependent just what matching
    capability processing features are needed as part of the CPP to CPA
    formation and negotiation processes.)
    
    We have not yet considered this option so there is more to take up in
    CPPA before the choices have all been presented and their tradeoffs
    discussed.
    
    Dale Moberg
    
    
    
    
    > Otherwise, it seems to me that could be handled in the "gateway"
    > conformance profile - i.e. this profile would require support for a
    > particular order of security operations.
    > 
    > Although conformance profiles are not defined in the main spec, it is
    > assumed you and partners need to agree on one in order to get
    > interoperability. The "gateway" conf profile is supposed to be the
    > baseline for eB/eG exchanges.
    
    Will these conformance profiles have standardised forms or structures or
    unique ways to reference them? Are they part of ebXML MS or ebXML IIC
    TC? 
    
    Would you think that theses conformance profiles will then be referenced
    in the ebXML CPA?
    
    In the ebXML CPA team of course we want to have everything ready once we
    come to a final ebXML CPA. The idea being that we only need to agree on
    the values we put in the ebXML CPA (which can include to set the
    conformance profile) and than there is no need to later have yet another
    agreement (discussion, email exchange or any other form of
    collaboration) to achieve interoperability.
    
    > 
    > If we consider this is something variable enough to be a P-Mode
    > parameter (i.e. subject to agreement at deployment time, not just at
    > development time) then the gateway conformance profile could require
    > this parameter to have the value specifying the desired order. So
    every
    > P-Mode derived for the gateway profile would specify this order, even
    if
    > the implementation can support other orders.
    > 
    > To summarize: such a requirement could appear at 3 levels (from the
    most
    > inflexible to the most flexible):
    > (a) core spec (like in V2)
    > (b) conformance profile
    > (c) P-Mode parameter and value.
    > 
    > My hunch is that (b) or (b)+(c) could be appropriate.
    > 
    
    The way I understood the ebXML CPA phone conference call where these
    questions were raised was if I want to use ebMS 3.0 and ebXML CPA 3.0
    must an application supporting both implement yet another WS-*
    specification (I think WS Policy was referenced) or can we have all ebMS
    3.0 configurations done in plain ebXML CPA.
    
    So, Dale Monica please help out if I miss the point here. I think as
    long as these configurations values can be configured without the
    absolute need to have another WS-* spec implemented (Monicas concern was
    as, far as I understand, that that requirement could have further
    consequences, eg if you have to implement WS-A for the configuration
    only then you naturally would also need implement WS-B, WS-C etc, Monica
    maybe you clarify again) then for the ebXML CPA people that would be OK
    and it is the ebXML MS people task to find the right place to place
    those settings.
    
    Sorry I do not know about the P-Modes enough but your hunch is that they
    would not be in the spec.
    
    Hope this makes sense and sorry that I did not keep up with ebMS 3.0
    specs.
    
    Sacha
    
    > Jacques
    > 
    >