Could someone please verify the intent and meaning of "AA Instance" relative to web services.... Pete and I were drafting some content for the security section and ended up in a discussion on how to enforce different security policies for different AA Instances. This might also pertain to transport protocols as well since some transports are more secure than others and that might be specified somehow in the security policy. ACS currently returns an EPR (or WS-Name perhaps) as a result of a create operation. That EPR could technically be anywhere on the network, although most likely it would be on the same box as the ACS service. Is it expected that each AA Instance is a separate web service or would it be a part of and managed by the ACS Web Service? The question delves into the implementation architecture and the answer might impact the way the specification is written with regard to requirements. -- Michael Behrens R2AD, LLC (571) 594-3008 (cell) *new* (703) 714-0442 (land)
Hi Mike and Pete, Thanks for your efforts toward a spec! Michael Behrens wrote:
Could someone please verify the intent and meaning of "AA Instance" relative to web services.... Pete and I were drafting some content for the security section and ended up in a discussion on how to enforce different security policies for different AA Instances. This might also pertain to transport protocols as well since some transports are more secure than others and that might be specified somehow in the security policy.
Here is my understanding on AA instance: AA instance is a form of AA in a ACS repository and is a Web service resource. It could be created elsewhere, but it is most reasonable to create inside the ACS repository which is a constituting a part of an implementation of the system. Is this a wrong understanding?
ACS currently returns an EPR (or WS-Name perhaps) as a result of a create operation. That EPR could technically be anywhere on the network, although most likely it would be on the same box as the ACS service. Is it expected that each AA Instance is a separate web service or would it be a part of and managed by the ACS Web Service?
If I understand points here correctly, this is not a problem though it may need to be carefully taken into considered. Existig standards may not prohibit the EPRs (or resource) from being created outside of the ACS, and ACS spec. may or may not, but, I belive, we can specify the security or transport to be organized to be efficient, rather than accepting whatever possible. The transport to be used must be defined, supported and announced by the implementation of the ACS repository. The security policy to be used would be decided under the system level design, but still to be supported and announced by the implementation. These may vary among implementations. If one was to move an AA in between, basically those must have common security policy and transport type in agreement. Someone can implement a relay or a router converting or adapting things, but it will involve more advanced considerations in my opinion. We can discuss this more in detail. However, I propose we put our efforts in an incremental way, from basics to advanced. As they say Rome was not built in a day:-) -Keisuke
participants (2)
-
Keisuke Fukui -
Michael Behrens