I think that it makes piratical sense to add WS-SecureConversation to the Basic B2B Profile. as without it, you really can't have secure, reliable messaging. Besides helping to tremendously increase the performance of secure Web services, WS-SC also gives you context based (i.e. instance) level security. Are there questions or concerns ?
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Always questions :-) And this one is probably a naive one, but can you use WS-SecureConversation without WS-Trust? The Abstract for the spec states that WS-SecureConversation builds on WS-Security and WS-Trust. And it looks to me like all of the techniques for establishing a Security Context Token involve WS-Trust.
Also I'm trying to figure out where this fits into uses of this profile. What problems are WS-SecureConversation solving related to uses of this profile? What are the related usage patterns for reliable messaging and/or addressing that surface these problems, and what kinds of message exchange patterns are being assumed? And does WS-Trust get pulled into the profile if WS-SecureConversation is used to solve these problems?
Barbara McKee bmc...@us.ibm.com
Software Group Emerging Technologies
11501 Burnet Road, Austin, TX 78758
(512)838-9326 T/L 678-9326
Anthony Nadalin/Austin/IBM@IBMUS
05/13/2005 08:02 AM
|
|
If an endpoint does not exchange any message with another for a long
period of time, the caches would expire but as long as there is a
steady flow, WS-SecureConversation should help considerably,
performance-wise.
Additionally, I think that WS-Trust should also be included as it gives
you a way of managing credentials that has its own benefits (beyond
performance).