[graap-wg] proposal: agreement lifecycle end-games

Karl Czajkowski karlcz at univa.com
Wed Mar 23 20:44:14 CST 2005 

On Mar 23, Jon MacLaren loaded a tape reading:
> No, I don't think I've explained it properly.  It's a lot simpler that 
> your reply suggests.
> 
> I didn't say the agreement is a message, which you stated in your 
> reply.  I said that it should be a document.  There is nothing to stop 
> me sending a signed document as part of an XML message irrespective of 
> the message-level/transport-level security stuff.
> 

Nothing except for the same WS-A guidelines that we would now be
violating in making a particular signature algorithm part of the
standard.  Which method would you suggest?  I don't even know what
identification standard we can assume for the agreement
parties... PKI?  Kerberos?  <Username, password>?  Which community do
we decide is _the_ community for WS-Agreement?  I need PKI for Globus
Toolkit deployment, but I am sure others need something else.

So, if we factor out signature itself as something that must come from
a profile of WS-Agreement and security specs, then all we have left is
the initiator sending the document once (where it could possibly be
signed) and the responder sending it once (where it could possibly be
signed).  We do not currently have the responder sending the agreement
document, since it seemed "redundant" to the people who do not care
about this signature dance.  I see this as a justifiable reason to put
it back in spite of its "redundancy".

We could put it in the output of the createAgreement and the input of
the acceptAgreement [if we go w/ the proposal I summarized again
recently].  Or, we could say that the initiator MAY fetch it anytime
after acceptance by fetching an RP containing the document,
e.g. AcceptedAgreement, which would be nil until the acceptance
decision is made.

I don't know how to allow arbitrary signature content to appear within
the WS-Agreement messages (where we currently have the agreement doc
element).  I do, however, think it is trivial to have the sending
party sign the _entire_ message and use that rather than trying to
embed signature at the application level.

However, it seems impossible to mandate that "both" parties have
signed the responder-generated document, since we do not have any way
of specifying what it means to have signed it.  I think that, too,
would have to be in a secure-agreement profile.  I am not sure it is
even strictly necessary, when one can retain the two unilaterally
signed messages and present them together to show agreement.


karl

-- 
Karl Czajkowski
karlcz at univa.com

More information about the graap-wg mailing list