I agree to that. we should leave it up to the implementations if and how these security aspects are handled. We should mandate for using a certain security technology.

Mit freundlichen Gruessen / best regards,

Richard Jacob

______________________________________________________ IBM Lab Boeblingen, Germany Dept.8288, WebSphere Portal Server Development Phone: ++49 7031 16-3469 - Fax: ++49 7031 16-4888 Email: mailto:rich...@de.ibm.com

|---------+----------------------------> | | Rich | | | Thompson/Watson/I| | | BM@IBMUS | | | | | | 01/20/2003 02:38 | | | PM | |---------+----------------------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| | | | To: wsrp...@lists.oasis-open.org | | cc: | | Subject: [wsrp-wsia] [change request #2] Restricting access based on registration handle | >--------------------------------------------------------------------------------------------------------------------------------------------------|

Document: WSRP spec Section: 5.2 Page/Line: 29/11-14 Requested by: Rich Thompson Old text: Producers may also find it useful to restrict the information returned to those portions of the service that the registration context will allow the Consumer to access on subsequent invocations. Producers using various security standards (e.g. WS-Security or SSL) to secure the communication should delegate this access control issue to the relevant security context.

Proposed text: (delete these 2 sentences)

Reasoning: When our security people read through the spec, they found these two sentences not useful for several reasons, primarily: 1 - They don't really say anything beyond the sentence at line 7. 2 - By raising the question of delegating such decisions without fully specifying how such delegation would work, the spec does more to confuse than to help. 3 - It really isn't the role of the WSRP spec to define how implementations will also support various security standards.