[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Groups - dss-requirements-1.0-draft-03.pdf - Process a n dDeadline information?
At 04:23 PM 4/26/2003 -0500, Anthony Nadalin wrote: > >> How to Identify Requestor > >> ---------------------------------------------- > >> I think 3.2.1 bullets 2 and 3, about what types of signed > >> attributes are > >> used to identify the requestor, should be changed to: > >> - RFC 3280 GeneralName (for a CMS signature) > >> - SAML Assertion (for an XML-DSIG signature) > > >It seems to me that SAML assertions work and are easily included in our > >spec. Thus, I think we should certainly support their use. It's not >clear > >to me that we necessarily need to support any other method until/unless we > >receive a concrete proposal of something else to use or find a specific > >deficiency. > >I guess I don't agree, so here is a proposal for a UsernameToken, thus we >don't have to have >the baggage of SAML > > <xsd:complexType name="UsernameTokenType"> > <xsd:annotation> > <xsd:documentation>This type represents a username token >per Section 4.1</xsd:documentation> > </xsd:annotation> > <xsd:sequence> > <xsd:element name="Username" >type="wsse:AttributedString"/> > <xsd:any processContents="lax" minOccurs="0" >maxOccurs="unbounded"/> > </xsd:sequence> > <xsd:attribute ref="wsu:Id"/> > <xsd:anyAttribute namespace="##other" processContents="lax"/> > </xsd:complexType> I agree that, if the DSS service doesn't want to express details on how the requestor authenticated, it might make sense to have a simpler way than a SAML Authentication Assertion to express just the requestor's name. I don't think that a WS-Security UsernameToken is a good way of doing this, though. Looking at the below documents, it seems this element is designed to transport a username, along with possibly a nonce and password. I don't see any provision for saying what type of name the username is (email address, Distinguished Name, URI, etc.), which is a capability we definitely want. So why do you think this element is a good way for the DSS to express the requestor's identity? http://www.oasis-open.org/committees/download.php/1046/WSS-Username-02-0223.pdf http://www.oasis-open.org/committees/download.php/1044/WSS-SOAPMessageSecurity-11-0303-merged.pdf I would prefer something like the last suggestion in the below post.. Or does anyone else have a better idea? http://lists.oasis-open.org/archives/dss/200304/msg00054.html Trevor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]