{"id":123,"date":"2005-06-08T01:43:13","date_gmt":"2005-06-08T01:43:13","guid":{"rendered":"\/?p=123"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-30T04:00:00","slug":"microstandards-unravelling-ws-policy","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=123","title":{"rendered":"Microstandards &#8211; unravelling WS-Policy"},"content":{"rendered":"<p><img alt=\"A picture named authors.jpg\" hspace=15 src=\"https:\/\/www.identityblog.com\/images\/2005\/06\/06\/authors.jpg\" align=right vspace=5 border=0>I&#39;ve been trying to explain my thinking about <strong>Microstandards<\/strong>.  I see these as being <strong>standards objects<\/strong> that can be combined and specialized to define complex distributed systems.  I thought I might help others understand what I&#39;m saying by picking an example and discussing it.<\/p>\n<p>So I rolled the dice and came up with <a href=\"https:\/\/www.identityblog.com\/stories\/2005\/06\/06\/ws-policy.pdf\">WS-Policy<\/a>.  Let&#39;s start by getting a feel for the scope of this thing.<\/p>\n<p>I count the authors.  Three from VeriSign, two from Sonic Software, five from IBM, six from Microsoft, one from BEA and one from SAP.  Yikes &#8211; that makes eighteen.<\/p>\n<p>But it is twenty-two pages long, of which six are introduction, table of contents, nomenclature, abstract, references, and all the associated formalities.  Another nine pages are essentially examples (can there ever be too many examples?)  Which leaves seven pages of discursive specification.<\/p>\n<p><font face=Verdana size=2><\/p>\n<p align=left>The specification defines the following:<\/p>\n<ul>\n<li>\n<div style=\"MARGIN-RIGHT: 0px\" align=left><\/font><font face=Verdana size=2>An XML Infoset called a <\/font><i><font face=Verdana size=2>policy expression <\/i><\/font><font face=Verdana size=2>that contains domain-specific, Web Service policy information.<\/font><\/div>\n<li>\n<div style=\"MARGIN-RIGHT: 0px\" align=left><font face=Verdana size=2>A core set of constructs to indicate how choices and\/or combinations of domain-specific policy assertions apply in a Web services environment.<\/font><\/div>\n<\/li>\n<\/ul>\n<p style=\"MARGIN-RIGHT: 0px\" align=left><font face=Verdana size=2>Here&#39;s the canonical example of such a policy expression:<\/p>\n<p><\/font><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">01 &lt;wsp:Policy&gt;<?xml:namespace prefix = o ns = \"urn:schemas-microsoft-com:office:office\" \/><o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">02 <span style=\"mso-spacerun: yes\">  <\/span>&lt;wsp:ExactlyOne&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">03 <span style=\"mso-spacerun: yes\">    <\/span>&lt;wsse:SecurityToken&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">04 <span style=\"mso-spacerun: yes\">      <\/span>&lt;wsse:TokenType&gt;wsse:Kerberosv5TGT&lt;\/wsse:TokenType&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">05 <span style=\"mso-spacerun: yes\">    <\/span>&lt;\/wsse:SecurityToken&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">06 <span style=\"mso-spacerun: yes\">  <\/span><span style=\"mso-spacerun: yes\">  <\/span>&lt;wsse:SecurityToken&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">07 <span style=\"mso-spacerun: yes\">    <\/span><span style=\"mso-spacerun: yes\">  <\/span>&lt;wsse:TokenType&gt;wsse:X509v3&lt;\/wsse:TokenType&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">08 <span style=\"mso-spacerun: yes\">  <\/span><span style=\"mso-spacerun: yes\">  <\/span>&lt;\/wsse:SecurityToken&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">09 <span style=\"mso-spacerun: yes\">  <\/span>&lt;\/wsp:ExactlyOne&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">10 &lt;\/wsp:Policy&gt;<o:p><\/o:p><\/span><\/p>\n<p><font face=Verdana size=2>I&#39;ll bet you catch the drift already.  The <em>Policy <\/em>element sets off the policy expression, and the <em>ExactlyOne element <\/em>is used to introduce a set of policy alternatives.  The <em>SecurityToken<\/em> element has nothing to do with WS-Policy itsef! It is just an example of a domain-specific InfoSet contained within the policy (in fact, the contents of SecurityToken would comprise a different <strong>microspec &#8211; <\/strong>in this example, WS-SecurityPolicy).<\/font><\/p>\n<p><font face=Verdana size=2>Here&#39;s how WS-Policy puts it:<\/font><\/p>\n<blockquote dir=ltr style=\"MARGIN-RIGHT: 0px\">\n<p><p><font face=Verdana size=2>Lines 02-09 illustrate the Exactly One policy operator. Policy operators group policy assertions into policy alternatives. A valid interpretation of the policy above would be that an invocation of a Web service contains <strong>one<\/strong> of the security token assertions (Lines 03-08) specified. Lines 03-05 and 06-08 represent two specific security policy assertions that indicate that two types of authentication are supported.<\/font><\/p>\n<\/p>\n<\/blockquote>\n<p dir=ltr><font face=Verdana size=2>WS-Policy goes on to define policies as collections of policy alternatives that are sets of policy assertions that are themselves typed InfoSets.  <\/font><font face=Verdana size=2>This leads to the normal form of a policy expression (so here is the spec in a nutshell):<\/font><\/p>\n<p><font face=Verdana size=2><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">&lt;wsp:Policy &#8230; &gt;<o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\"><span style=\"mso-spacerun: yes\">  <\/span>&lt;wsp:ExactlyOne&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\"><span style=\"mso-spacerun: yes\">  <\/span><span style=\"mso-spacerun: yes\">  <\/span>[ &lt;wsp:All&gt; [ &lt;<i>Assertion <\/i>&#8230;&gt; &#8230; &lt;\/<i>Assertion<\/i>&gt; ]* &lt;\/wsp:All&gt; ]* <span style=\"mso-spacerun: yes\">     <\/span><o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\"><span style=\"mso-spacerun: yes\"> <\/span><span style=\"mso-spacerun: yes\"> <\/span>&lt;\/wsp:ExactlyOne&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">&lt;\/wsp:Policy&gt;<\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><o:p><font face=\"Times New Roman\" size=3><\/font><\/o:p> <\/p>\n<p class=MsoNormal dir=ltr style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><o:p><font face=\"Times New Roman\" size=3>This example demonstrates how an <em>All<\/em> element combines with an <em>ExactlyOne<\/em> element to give us everything we need to negotiate technical agreements.<\/font> Next follows a discussion of how to identify policies with URIs, and securely include one policy in another.  Then there is a brief but cool section showing how policy alternatives and assertions are associative, commutative, distributive and idempotent (this is a huge breath of fresh air).  <\/o:p><\/p>\n<p class=MsoNormal dir=ltr style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><o:p><\/o:p> <\/p>\n<p class=MsoNormal dir=ltr style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><o:p>For example:<\/o:p><\/p>\n<p><o:p><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\"><\/span> <\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">&lt;wsp:All&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\"><span style=\"mso-spacerun: yes\">  <\/span>&lt;wsp:ExactlyOne&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\"><span style=\"mso-spacerun: yes\">    <\/span><i>&lt;!&#8211; assertion 1 &#8211;&gt; <o:p><\/o:p><\/i><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><i><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\"><span style=\"mso-spacerun: yes\">    <\/span>&lt;!&#8211; assertion 2 &#8211;&gt; <o:p><\/o:p><\/span><\/i><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><i><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\"><span style=\"mso-spacerun: yes\">  <\/span><\/span><\/i><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">&lt;\/wsp:ExactlyOne&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">&lt;\/wsp:All&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\"><o:p> <\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-bidi-font-family: Verdana\">is equivalent to:<o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-bidi-font-family: Verdana\"><o:p> <\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: Verdana; mso-bidi-font-family: Verdana\"><span style=\"mso-spacerun: yes\"> <\/span><\/span><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">&lt;wsp:ExactlyOne&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\"><span style=\"mso-spacerun: yes\">  <\/span>&lt;wsp:All&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\"><span style=\"mso-spacerun: yes\">    <\/span><i>&lt;!&#8211; assertion 1 &#8211;&gt;<o:p><\/o:p><\/i><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><i><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\"><span style=\"mso-spacerun: yes\"> <\/span><span style=\"mso-spacerun: yes\"> <\/span><\/span><\/i><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">&lt;\/wsp:All&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\"><span style=\"mso-spacerun: yes\">  <\/span>&lt;wsp:All&gt;<o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><i><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\"><span style=\"mso-spacerun: yes\">    <\/span>&lt;!&#8211; assertion 2 &#8211;&gt; <o:p><\/o:p><\/span><\/i><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><i><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\"><span style=\"mso-spacerun: yes\">  <\/span><\/span><\/i><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">&lt;\/wsp:All&gt; <o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\"><span style=\"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'\">&lt;\/wsp:ExactlyOne&gt;<o:p><\/o:p><\/span><\/p>\n<p class=MsoNormal dir=ltr style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\">\n<p class=MsoNormal dir=ltr style=\"MARGIN: 0in 0in 0pt; mso-layout-grid-align: none\">Finally, while recognizing that policy intersections must be evaluated in a domain-specific way, WS-Policy suggests a high level algorithm for calculating intersections.<\/o:p><\/p>\n<p dir=ltr>So that&#39;s it, folks.  Building WS-Policy compliant applications means that when you negotiate your policy with another end-point, you use this way of structuring the XML that describes the policy.  You likely don&#39;t have to write a line of code to comply.  In fact, I look at this spec as eliminating a lot of lines of code by giving us a simple way to express our policy alternatives and to evaluate them.<\/p>\n<p dir=ltr>\n<p><\/font><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#39;ve been trying to explain my thinking about Microstandards. I see these as being standards objects that can be combined and specialized to define complex distributed systems. I thought I might help others understand what I&#39;m saying by picking an example and discussing it. So I rolled the dice and came up with WS-Policy. Let&#39;s &hellip; <a href=\"https:\/\/www.identityblog.com\/?p=123\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Microstandards &#8211; unravelling WS-Policy<\/span><\/a><\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/123"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=123"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/123\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}