DDS-Security 1.0 FTF Avatar
  1. OMG Issue

DDSSEC_ — Confusion between is_access_protected and allow_unauthenticated_participants

  • Key: DDSSEC_-11
  • Legacy Issue Number: 19774
  • Status: closed  
  • Source: ZettaScale Technology ( Mr. Julien Enoch)
  • Summary:

    This chapter describes the behavior when a DomainParticipant discovers a remote DomainParticipant which lack the ability to authenticate.
    According to §8.4.2.5, the is_access_protected attribute applies only "with a remote DomainParticipant that has successfully authenticated". And the allow_unauthenticated_participants attribute "indicates whether the DomainParticipant shall only match discovered DomainParticipants that Authenticate successfully".

    Therefore, the §8.8.2.1 and §8.8.2.2 should rather describe behavior when the value of allow_unauthenticated_participants is TRUE or FALSE, instead of the value of is_access_protected.

  • Reported: DDS-Security 1.0b1 — Fri, 5 Jun 2015 04:00 GMT
  • Disposition: Resolved — DDS-Security 1.0
  • Disposition Summary:

    Correct table 16, section 8.8.2.1 and 8.8.2.2

    The description of Table 16 Member allow_unauthenticated_participants and is_access_protected should be written to make it clear that:
    (1) allow_unauthenticated_participants determines whether remote DomainParticipant entities that cannot Authenticate are immediately rejected by the authentication process or allowed as "unauthenticated" entities.

    (2) is_access_protected determines whether the AccessControl plugin is called to check authorization for the remote DomainParticipant entities that are not disqualified by the authentication stage (this may include entities that were classified as unauthenticated).

    Also as indicated in the issue description sections 8.8.2.1 and 8.8.2.2 shall be corrected. In the places it says "-is_access_protected" it should say "allow_unauthenticated_access"

  • Updated: Tue, 12 Jul 2016 14:45 GMT