I think that it makes piratical sense to add WS-SecureConversation to the
Basic B2B Profile.  as without it, you really can't have secure, reliable
messaging.  Besides helping to tremendously increase the performance of
secure Web services, WS-SC also gives you context based (i.e. instance)
level security. Are there questions or concerns ?

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122

Always questions :-)  And this one is probably a naive one, but can you use
WS-SecureConversation without WS-Trust?  The Abstract for the spec states
that WS-SecureConversation builds on WS-Security and WS-Trust.  And it
looks to me like all of the techniques for establishing a Security Context
Token involve WS-Trust.

Also I'm trying to figure out where this fits into uses of this profile.
What problems are WS-SecureConversation solving related to uses of this
profile?  What are the related usage patterns for reliable messaging and/or
addressing that surface these problems, and what kinds of message exchange
patterns are being assumed?  And does WS-Trust get pulled into the profile
if WS-SecureConversation is used to solve these problems?

Barbara McKee          bmc...@us.ibm.com
Software Group Emerging Technologies
11501 Burnet Road,  Austin, TX   78758
(512)838-9326       T/L 678-9326

             Anthony                                                      
             Nadalin/Austin/IB                                            
             M@IBMUS                                                    To
                                       basicB2B@googlegroups.com          
             05/13/2005 08:02                                           cc
             AM                                                            
                                                                   Subject
                                       Adding WS-SecureConversation to the
             Please respond to         Basic B2B Profile                  
                 basicB2B                                                  

I think that it makes piratical sense to add WS-SecureConversation to the
Basic B2B Profile. as without it, you really can't have secure, reliable
messaging. Besides helping to tremendously increase the performance of
secure Web services, WS-SC also gives you context based (i.e. instance)
level security. Are there questions or concerns ?

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122

graycol.gif < 1K Download

pic04308.gif 1K Download

ecblank.gif < 1K Download

I agree that WS-SecureConversation should be part of the profile. Each
message would typically be signed / encrypted with the sending
endpoint's credential. A WS-SecureConversation endpoint caches the
credentials related to all of its partner endpoints and reuses those
for verification of incoming messages. Each message is verified with
symmetric key cryptography (asymmetric key cryptography - used in the
absence of WS-SecureConversation -- is much more expensive).

If an endpoint does not exchange any message with another for a long
period of time, the caches would expire but as long as there is a
steady flow, WS-SecureConversation should help considerably,
performance-wise.

Additionally, I think that WS-Trust should also be included as it gives
you a way of managing credentials that has its own benefits (beyond
performance).

Barbara,

I didn't notice any follow-ups to this, so here goes. Yes, you can use
WS-Secure Conversation without WS-Trust.
See section 4 of the WS-SC spec.

As to the question of where (or whether) this fits into the uses of the
profile, basically it is to improve performance
of security operations by virtue of the use of symmetric keys.
Additionally, as we demonstrated in the WS-RM and
WS-SC/T composability interop workshop, there is an additional aspect of
security enabled that provides for the
RM Source to be able to protect use of the established RM Sequence by
associating a specific security token
with an newly created Sequence as described in section 3.4 of the WS-RM
spec. See the description of the
/wsrm:CreateSequence/wsse:SecurityTokenReference element.

I note that Tim has suggested that WS-Trust also be added to the profile.
I think that this deserves some
discussion. I will follow-up that thread presently.

That question aside, are there any objections to adding WS-SC to the next
revision of the profile?

Cheers,

Christopher Ferris
STSM, Emerging e-business Industry Architecture
email: chris...@us.ibm.com
blog: http://webpages.charter.net/chrisfer/blog.html
phone: +1 508 377 9295

Barbara McKee/Austin/IBM@IBMUS wrote on 05/16/2005 09:52:05 AM:

use WS-SecureConversation
WS-SecureConversation builds on WS-
establishing a Security
What problems are WS-
related usage patterns
and what kinds of message

the Basic B2B Profile. as
helping to tremendously
context based (i.e.