3753 – Example 1-1 is not a complete security policy

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 3753 - Example 1-1 is not a complete security policy

Summary: Example 1-1 is not a complete security policy

Status:	RESOLVED FIXED

Alias:	None

Product:	WS-Policy
Classification:	Unclassified
Component:	Framework (show other bugs)
Version:	PR
Hardware:	Macintosh All

Importance:	P2 normal
Target Milestone:	---
Assignee:	Fabian Ritzmann
QA Contact:	Web Services Policy WG QA List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-09-19 15:00 UTC by Fabian Ritzmann
Modified:	2006-09-27 18:17 UTC (History)
CC List:	0 users

See Also:

Attachments

Description Fabian Ritzmann 2006-09-19 15:00:54 UTC

Title

Example 1-1 is not a complete security policy


Description

Example 1-1 shows a simple policy with two security policy assertions in lines 03 and 04. According to WS-SecurityPolicy 1.2, section 7.1, these security policy assertions must be encapsulated by a policy that is nested inside an AlgorithmSuite assertion. The enclosing AlgorithmSuite assertions as well as suitable top-level assertions containing the AlgorithmSuite assertions are missing from example 1-1.

The examples in the following chapters build on this first example. Despite extensive research we did not find a policy that is sufficiently simple, can serve as a basis for the other examples, and still is a valid policy. We should still point out that the example given is an incomplete policy that only serves to illustrate how a policy could look like.


Justification

An example of a policy that claims to display a security policy but in fact violates the constraints of WS-SecurityPolicy causes unnecessary confusion among readers of both specifications.


Target

Web Services Policy Framework, section 1.2, example 1-1


Proposal

Replace "The following example illustrates a security policy expression using assertions defined in WS-SecurityPolicy WS-SecurityPolicy?:"

by "The following example illustrates a security policy expression using assertions defined in WS-SecurityPolicy WS-SecurityPolicy? rather than a complete security policy:"

Comment 1 Fabian Ritzmann 2006-09-19 15:13:35 UTC

The proposal text got slightly skewed. Here is a cleaned up version:

Proposal

Replace "The following example illustrates a security policy expression using
assertions defined in WS-SecurityPolicy [WS-SecurityPolicy]:"

by "The following example illustrates a security policy expression using
assertions defined in WS-SecurityPolicy [WS-SecurityPolicy] rather than a
complete security policy:"

Comment 2 Fabian Ritzmann 2006-09-20 11:22:17 UTC

Follow up by Tony Nadalin:

Instead for changing the wording I suggest the following using the
following example

01) <wsp:Policy
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:wsp="http://www.w3.org/@@@@/@@/policy" >
(02)   <wsp:ExactlyOne>
(03)     <wsp:All>
(04)       <sp:SignedParts>
              <sp:Body />
           </sp:SignedParts>
(05)     </wsp:All>
(06)     <wsp:All>
(07)       <sp:EncryptedParts>
              <sp:Body />
           </sp:EncryptedParts>
(08)     </wsp:All>
(09)   </wsp:ExactlyOne>
(10) </wsp:Policy>

Comment 3 Fabian Ritzmann 2006-09-26 11:33:10 UTC

Comment by Dan Roth:

This looks good to me.  I suggested we assign this one over to the editors.

Comment 4 Paul Cotton 2006-09-27 18:17:04 UTC

Resolved at Sep 27 meeting:
http://www.w3.org/2006/09/27-ws-policy-minutes.html 

Adopted Tony's example in http://www.w3.org/Bugs/Public/show_bug.cgi?id=3753#c2 and moved existing example 1-1 to later section where it is referenced.