[acs-wg] Instance Clarification

Keisuke Fukui kfukui at labs.fujitsu.com
Sun Sep 4 20:47:12 CDT 2005 

Hi Mike and Pete,

Thanks for your efforts toward a spec!

Michael Behrens wrote:
> Could someone please verify the intent and meaning of "AA Instance" 
> relative to web services....
> Pete and I were drafting some content for the security section and ended 
> up in a discussion on how to enforce different security policies for 
> different AA Instances.  This might also pertain to transport protocols 
> as well since some transports are more secure than others and that might 
> be specified somehow in the security policy.

Here is my understanding on AA instance:

AA instance is a form of AA in a ACS repository and is a Web service
resource. It could be created elsewhere, but it is most reasonable
to create inside the ACS repository which is a constituting a part
of an implementation of the system. Is this a wrong understanding?

> ACS currently returns an EPR (or WS-Name perhaps) as a result of a 
> create operation.  That EPR could technically be anywhere on the 
> network, although most likely it would be on the same box as the ACS 
> service.
> Is it expected that each AA Instance is a separate web service or would 
> it be a part of and managed by the ACS Web Service?

If I understand points here correctly, this is not a problem though
it may need to be carefully taken into considered. Existig standards
may not prohibit the EPRs (or resource) from being created
outside of the ACS, and ACS spec. may or may not, but, I belive, we can
specify the security or transport to be organized to be efficient, rather
than accepting whatever possible.

The transport to be used must be defined, supported and announced
by the implementation of the ACS repository. The security policy
to be used would be decided under the system level design, but still
to be supported and announced by the implementation. These may vary
among implementations. If one was to move an AA in between,
basically those must have common security policy and transport type in
agreement.


Someone can implement a relay or a router converting or adapting
things, but it will involve more advanced considerations in my opinion.
We can discuss this more in detail. However, I propose we put our efforts
in an incremental way, from basics to advanced. As they say Rome was not
built in a day:-)

  -Keisuke

More information about the acs-wg mailing list