|Damodaran, Suresh||Jun 3, 2002 3:27 pm||.doc|
|Subject:||RE: [regrep-security] Updated ebRS section 9.7 Access Control|
|From:||Damodaran, Suresh (Sure...@stercomm.com)|
|Date:||Jun 3, 2002 3:27:56 pm|
Thanks for your comments - I think they improved the presentation overall. This is for v2.1. My apologies for not getting to it till now. Some comments below. Comments, anybody else?
Here is the edited version
-Suresh Sterling Commerce, Inc.
-----Original Message----- From: Munter, Joel D [mailto:joel...@intel.com] Sent: Tuesday, May 28, 2002 10:25 AM To: 'Damodaran, Suresh'; 'regr...@lists.oasis-open.org' Subject: RE: [regrep-security] Updated ebRS section 9.7 Access Control
Is this intended for v2.1 or v3? Some of my comments may be more appropriate as V3. You make the call.
The following: "Any Registry Client can access the content without requiring authentication. However, unauthenticated clients can only access some read-only (getXXX) methods permitted for GuestReader role. The Registry must assign the default GuestReader role to such Registry Clients." Has contradictory first and second sentences. Please consider deleting the first sentence.
The following: "Anyone can publish content, but MUST be a Registered User" May be better said by the following: "To publish content, you MUST be a Registered User"
I am a little confused by the following: "The Submitting Organization has access to all methods for Registry Objects created by it." Who is "it" at the end of this sentence? Unless I am wrong, the SO cannot create methods. Nor can it "create" Registry Objects. Isn't the SO limited to "registering" stuff?
Yes, SO is limited to "registering" - fixed.
This bullet implies that all submitters must obtain a "certificate." "At the time of content submission, the Registry must assign the default ContentOwner role to the Submitting Organization (SO) as authenticated by the credentials in the submission message. In the current version of this specification, the Submitting Organization will be the DN (Distinguished Name) as identified by the certificate."
But this section says nothing about where to obtain certificates. Also where do the credentials go in the "submission message?" Should we be more explicit here? Who are valid Certificate Authorities? What else constitutes a valid certificate? What else needs to be there? Should we be more specific here?
These are good questions - possibly good to address in V3.0. I have made
some changes. The certificates are those used for authentication (mentioned in Signing sections) but that section also will be revised for V3.0 when SO and RO can be different
-----Original Message----- From: Damodaran, Suresh [mailto:Sure...@stercomm.com] Sent: Friday, May 24, 2002 1:59 PM To: 'regr...@lists.oasis-open.org' Subject: [regrep-security] Updated ebRS section 9.7 Access Control
Here is the new section 9.7 with some scrubbing done. There is the actor to role mapping, and default policies. When custom policies will be used is also mentioned. Please let me know what you think.
----------------- Thanks, -Suresh Sterling Commerce, Inc.
---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
Attachment: ebRS- 9.7 Access Control.doc