Adding WS-SecureConversation to the Basic B2B Profile

6 views
Skip to first unread message

Anthony Nadalin

unread,
May 13, 2005, 9:02:09 AM5/13/05
to basi...@googlegroups.com

I think that it makes piratical sense to add WS-SecureConversation to the Basic B2B Profile. as without it, you really can't have secure, reliable messaging. Besides helping to tremendously increase the performance of secure Web services, WS-SC also gives you context based (i.e. instance) level security. Are there questions or concerns ?


Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122

Barbara McKee

unread,
May 16, 2005, 9:52:05 AM5/16/05
to basi...@googlegroups.com

Always questions :-) And this one is probably a naive one, but can you use WS-SecureConversation without WS-Trust? The Abstract for the spec states that WS-SecureConversation builds on WS-Security and WS-Trust. And it looks to me like all of the techniques for establishing a Security Context Token involve WS-Trust.

Also I'm trying to figure out where this fits into uses of this profile. What problems are WS-SecureConversation solving related to uses of this profile? What are the related usage patterns for reliable messaging and/or addressing that surface these problems, and what kinds of message exchange patterns are being assumed? And does WS-Trust get pulled into the profile if WS-SecureConversation is used to solve these problems?

Barbara McKee bmc...@us.ibm.com
Software Group Emerging Technologies
11501 Burnet Road, Austin, TX 78758
(512)838-9326 T/L 678-9326
Inactive hide details for Anthony Nadalin/Austin/IBM@IBMUSAnthony Nadalin/Austin/IBM@IBMUS


          Anthony Nadalin/Austin/IBM@IBMUS

          05/13/2005 08:02 AM

          Please respond to
          basicB2B


To

basi...@googlegroups.com

cc


Subject

Adding WS-SecureConversation to the Basic B2B Profile

Message has been deleted

tfo...@ford.com

unread,
May 25, 2005, 1:35:32 PM5/25/05
to basi...@googlegroups.com
I agree that WS-SecureConversation should be part of the profile. Each
message would typically be signed / encrypted with the sending
endpoint's credential. A WS-SecureConversation endpoint caches the
credentials related to all of its partner endpoints and reuses those
for verification of incoming messages. Each message is verified with
symmetric key cryptography (asymmetric key cryptography - used in the
absence of WS-SecureConversation -- is much more expensive).

If an endpoint does not exchange any message with another for a long
period of time, the caches would expire but as long as there is a
steady flow, WS-SecureConversation should help considerably,
performance-wise.

Additionally, I think that WS-Trust should also be included as it gives
you a way of managing credentials that has its own benefits (beyond
performance).

Christopher B Ferris

unread,
Jun 28, 2005, 12:55:42 PM6/28/05
to basi...@googlegroups.com
Barbara,

I didn't notice any follow-ups to this, so here goes. Yes, you can use
WS-Secure Conversation without WS-Trust.
See section 4 of the WS-SC spec.

As to the question of where (or whether) this fits into the uses of the
profile, basically it is to improve performance
of security operations by virtue of the use of symmetric keys.
Additionally, as we demonstrated in the WS-RM and
WS-SC/T composability interop workshop, there is an additional aspect of
security enabled that provides for the
RM Source to be able to protect use of the established RM Sequence by
associating a specific security token
with an newly created Sequence as described in section 3.4 of the WS-RM
spec. See the description of the
/wsrm:CreateSequence/wsse:SecurityTokenReference element.

I note that Tim has suggested that WS-Trust also be added to the profile.
I think that this deserves some
discussion. I will follow-up that thread presently.

That question aside, are there any objections to adding WS-SC to the next
revision of the profile?

Cheers,

Christopher Ferris
STSM, Emerging e-business Industry Architecture
email: chri...@us.ibm.com
blog: http://webpages.charter.net/chrisfer/blog.html
phone: +1 508 377 9295

Barbara McKee/Austin/IBM@IBMUS wrote on 05/16/2005 09:52:05 AM:

> Always questions :-) And this one is probably a naive one, but can you
use WS-SecureConversation
> without WS-Trust? The Abstract for the spec states that
WS-SecureConversation builds on WS-
> Security and WS-Trust. And it looks to me like all of the techniques for
establishing a Security
> Context Token involve WS-Trust.
>
> Also I'm trying to figure out where this fits into uses of this profile.
What problems are WS-
> SecureConversation solving related to uses of this profile? What are the
related usage patterns
> for reliable messaging and/or addressing that surface these problems,
and what kinds of message
> exchange patterns are being assumed? And does WS-Trust get pulled into
the profile if WS-
> SecureConversation is used to solve these problems?
>
> Barbara McKee bmc...@us.ibm.com
> Software Group Emerging Technologies
> 11501 Burnet Road, Austin, TX 78758
> (512)838-9326 T/L 678-9326
> [image removed] Anthony Nadalin/Austin/IBM@IBMUS
>

>
> Anthony Nadalin/Austin/IBM@IBMUS
> 05/13/2005 08:02 AM
>
> Please respond to
> basicB2B
>
> [image removed]
> To
>
> [image removed]
> basi...@googlegroups.com
>
> [image removed]
> cc
>
> [image removed]
>
> [image removed]
> Subject
>
> [image removed]
> Adding WS-SecureConversation to the Basic B2B Profile
>
> [image removed]
>
> [image removed]
Reply all
Reply to author
Forward
0 new messages