Re: [imi] Conflict between SAML 2.0 token profile and WS-Trust

[John Bradley <jbradley@mac.com>]

--Apple-Mail-182--871268642
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Ignore my last email as long as the selector always adds the request for =
a asymmetric proof key to the request,  I am OK with the STS defaulting =
to symmetric if it is not in the request.

John B.
On 2009-12-15, at 3:52 PM, Mike Jones wrote:

> Technically, those are different cases.  The text you're citing refers =
to the RP's SecurityPolicy and the actions the selector should take =
based upon it.  The inconsistency I cited referred to how the recipient =
should interpret WS-Trust messages.
>=20
> Yes, ideally these defaults should have been the same.  But we can at =
least be consistent with WS-Trust by not stating that a different =
default should be used in that case.
>=20
> Agreed?
>=20
> 				-- Mike
>=20
> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]=20
> Sent: Tuesday, December 15, 2009 10:41 AM
> To: Mike Jones; imi@lists.oasis-open.org
> Subject: RE: [imi] Conflict between SAML 2.0 token profile and =
WS-Trust
>=20
> Scott Cantor wrote on 2009-12-15:
>> Mike Jones wrote on 2009-12-15:
>>> Any disagreement, or shall I file an issue for us to consider on
>>> Thursday's call?
>>=20
>> Don't think I had any particular reason for that wording, so that's =
fine.
> If
>> anything I would have gotten it from (mis-)interpreting something in =
IMI,
>> I'll take a look when time permits.
>=20
> Found it:
>=20
> 3.3.5 Proof Key for Issued Token
>=20
> An issued token can have a symmetric proof key (symmetric key token), =
an
> asymmetric proof key (asymmetric key token), or no proof key (bearer =
token).
> If no key type is specified in the Relying Party policy, then an =
Identity
> Selector SHOULD request an asymmetric key token from the IP/STS by =
default.
>=20
> So, which should I be consistent with?
>=20
> -- Scott
>=20
>=20
>=20
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php=20=

>=20
>=20
>=20
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>=20


--Apple-Mail-182--871268642
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIWJDCCBv8w
ggXnoAMCAQICAnEPMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh
cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4
MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0Ew
HhcNMDkwMzE5MDA1MzU2WhcNMTAwMzE5MDA1MzU2WjBsMR4wHAYDVQQKExVQZXJzb25hIE5vdCBW
YWxpZGF0ZWQxKTAnBgNVBAMTIFN0YXJ0Q29tIEZyZWUgQ2VydGlmaWNhdGUgTWVtYmVyMR8wHQYJ
KoZIhvcNAQkBFhBqYnJhZGxleUBtYWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAz3okuJxE7OE652aGLbj/c3BSDEN948QVbCpKaE1HcsIdvGCIzgJWujkMj5Q+QJNXb6VYPR8W
xIaIjqlZIhqXzis9YEzc6z3MsdhYpeDTEbJg/hXpW1NFHX+CIGDO2TD2v6V7SbJYNm6MDJhHQEEn
/fGBtWrdDXwTHUQBQNJX1N4pUWaTqgcPBiW2V/M1/ZuFZlo0RBJRfHpHkYqTBDx2VkA+KYl6ULTy
TnKsYzGQFqAqp5T/nnOqyEV6iItSAuczHf6DTe5gyDzbBE+BLx3bzdDXn2uE27DFAERJaVzu1G34
wW23M7PQyFzoo5bvGbBjGCSLYQ7/EFulChKwxA7EDQIDAQABo4IDiDCCA4QwCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBRIzl+k
PHLfEqIfyQAbdLvRd9ELHDAbBgNVHREEFDASgRBqYnJhZGxleUBtYWMuY29tMIGoBgNVHSMEgaAw
gZ2AFFNy7ZKc4NrLAVx8fpY1TvLUuFGCoYGBpH8wfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0
YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx
KTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggENMIIBRwYDVR0gBIIB
PjCCATowggE2BgsrBgEEAYG1NwECADCCASUwLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRz
c2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2lu
dGVybWVkaWF0ZS5wZGYwgbwGCCsGAQUFBwICMIGvMBQWDVN0YXJ0Q29tIEx0ZC4wAwIBARqBlkxp
bWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2Yg
dGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQg
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRw
Oi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0
c3NsLmNvbS9jcnR1MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRw
Oi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuY2xpZW50LmNhLmNydDAjBgNV
HRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBAJseTTEK
i3xbLVWJPJF/oArTkB1LAr8TxR1JKoxQBgBrZwmWU4MNnU525gR59/ZlgYCp2HBBF8EG9iYFNShu
hkRxfT3PpgiQ9/hdPS5lyE+l5cAhYnkJHicpqoIsWwAAcR6aG08kU3Jx7O++RLOvRthYZIGY5aG5
PIogRS844AlQTNAeFtSSpAlYZT6MJjE55eQb0pXIUr+8QJEdmPax5DMV+iBASElHir4knWLDfCEc
m2+OK0CajHxTg1tU7H/d58BIfB8Szml3SUxbek98OOKZP4URdFbZA4+o27lEJSJFb9JvMjABimt9
YpmvU4oKmNKYLBM1UP6iC4ZtdkX2HZ8wggc3MIIGH6ADAgECAgIA3jANBgkqhkiG9w0BAQUFADCB
jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE
aWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJp
bWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBMB4XDTA5MDMyMDE5NTYyMloXDTEwMDMyMDE5NTYy
MlowgaMxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIwEAYDVQQHEwlW
YW5jb3V2ZXIxLTArBgNVBAsTJFN0YXJ0Q29tIFZlcmlmaWVkIENlcnRpZmljYXRlIE1lbWJlcjEV
MBMGA1UEAxMMSm9obiBCcmFkbGV5MR8wHQYJKoZIhvcNAQkBFhBqYnJhZGxleUBtYWMuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6eBS+r9t09H9KUSW4W/YvlZxSKjNR1pa017l
TwoaP7ydmJjdFyN8i0CMbW3qUidZP/gZcrACAtF7c4GPf+o0sxMIHC1pVUANhCS4HMwTA2KRIBqu
5LJ2IIni5HWN1mv2Q8kN+GgvX0v2SzQraZZ1yRSpJcqI2q9oV2XsUlQ0f4icnMAD/o3FtBk2p2OV
+R0IGrDiRYPsL3tyf7IjO+3zYJJS2iFkIRgYy+egI4AhWrd9t6EqnoHMplt4n5/xgoxPXRQ8T4ST
03wVsTXbeAmWECTud8RLiqvU6s9qvm1QlNuXfqjnGDy4Zgok3epFsTNP9rtIHdI36bYp6c/+6GQF
HQIDAQABo4IDiDCCA4QwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUH
AwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSJ3y3+LbYfMZEALd2djXgavtvAZzAbBgNVHREEFDASgRBq
YnJhZGxleUBtYWMuY29tMIGoBgNVHSMEgaAwgZ2AFK5Vg2/sMcq59x36r2sx88gd46y7oYGBpH8w
fTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE
aWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRp
b24gQXV0aG9yaXR5ggEOMIIBRwYDVR0gBIIBPjCCATowggE2BgsrBgEEAYG1NwECADCCASUwLgYI
KwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEW
KGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwgbwGCCsGAQUFBwICMIGv
MBQWDVN0YXJ0Q29tIEx0ZC4wAwIBARqBlkxpbWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0
aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5
LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwu
Y3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEF
BQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNz
Mi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1
Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNv
bS8wDQYJKoZIhvcNAQEFBQADggEBAKsZIOrdqVshNdrUw80Zr2RiHFnzPjKxqG6tFKG/hISfJ7WF
xAlnATxZNytnMFiNfLDS7O4P3idfwx8HnE8H5DBT0k8FYxcip6MDVMxZ/23DVhhKq7pTmj4DrPNB
2KZKwSwXKdUblksjNalfzs9ymozBRcK2H6S6y5bSE0b9aOVN5aGGOQBL+fp/Xh12+SrAl9M1RA5X
oFSTvMoVI3txCqFPpJdFL0jzKujaJBdg+OeUDSQCSbwFd7X9vcLdWdsfnHLECZE6C+KXfA9IoK7f
YloBd2HEo51VkJa10FRAdZglMapXaAtl7Agdgegw8fveQ86d2v2A8e4ptZaaVhBjE8YwggfiMIIF
yqADAgECAgEOMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYD
VQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAyNTRaFw0x
MjEwMjIyMTAyNTRaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkG
A1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRD
b20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDLKIVFnAEs+xnyq6UzjCqgDcvQVe1dIoFnRsQPCFO+y92k8RK0Pn3M
bQ2Gd+mehh9GBZ+36uUQA7Xj9AGM6wgPhEE34vKtfpAN5tJ8LcFxveDObCKrL7O5UT9WsnAZHv7O
YPYSR68mdmnEnJ83M4wQgKO19b+Rt8sPDAz9ptkQsntCn4GeJzg3q2SVc4QJTg/WHo7wF2ah5LMO
eh8xJVSKGEmd6uPkSbj113yKMm8vmNptRPmM1+YgmVwcdOYJOjCgFtb2sOP79jji8uhWR91xx7Tp
M1K3hv/wrBZwffrmmEpUeuXHRs07JqCCvFh9coKF4UQZvfEg+x3/69xRCzb1AgMBAAGjggNbMIID
VzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUrlWDb+wxyrn3HfqvazHzyB3j
rLswgagGA1UdIwSBoDCBnYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlm
aWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmC
AQEwCQYDVR0SBAIwADA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3Rh
cnRzc2wuY29tL3Nmc2NhLmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNv
bS5vcmcvc2ZzY2EtY3JsLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2Eu
Y3JsMIIBXQYDVR0gBIIBVDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYIKwYBBQUHAgEWI2h0
dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2Vy
dC5zdGFydGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3RhcnQg
Q29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlhYmlsaXR5LCByZWFk
IHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20u
b3JnL3BvbGljeS5wZGYwEQYJYIZIAYb4QgEBBAQDAgAHMFAGCWCGSAGG+EIBDQRDFkFTdGFydENv
bSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENlcnRpZmljYXRl
czANBgkqhkiG9w0BAQUFAAOCAgEAHvcQF/726YR5L5A3Ta7JV1nTu3w9yWqp00945pg7uea+1KVt
R/7/yeNFAV7MPQylPE8pROEcGU+RwwDFuNn9cePfAMzOBTpy/6VE076+gYkZa4n8uWaL5A2FVo8t
RmEyfoT4gRL9B5h5w8Y4ZySCJBLyfp4jByyxHaTTIWZ8TIkxUQLSBeFnmHKYFwYwMbBA0Sgb8ONC
vq9zeJcpMkkDadhJSCfB9c9gZocbaaVHVqTlSeENRr5/Y31dapzIRQg2Pl9V/A65Cq03KQxMXBpX
n8HkLO/g2FCt7KYkJCaTe6qT2JX8thmB3nb+5RmtWQIITCP+PPNkFQCts6ujOtJx6TlDLWA+tV7Q
LN2Q+S98p/SwnXito+GW0N7kXcL8QDBVsF8lCvwCz+JQrvUIcW5xEzpAVk9xSbpePxVIMzNEUQhB
obkFojhUqGt+VyU3GH/+BP2brzl4StOJ1KXuw2EzFs0ai9OMsqCUFRyhykm6MrbnsnSrqhWSnSQP
YIu+zpzwWC/8sZFxoJCwvbbIu+6E+AIGa8tP+pYF+empPn/7pkIoTT4LSkkEIxGKvUvDJTh86VDN
L8bIIQE2LHVDwcOq+mcQx416FAA9Nw1DBGyrFr6hQe5yTVXrJ4G7vJosNRGCwPnx302gonaFdwi+
+YyqjPyhPO6q4fRarYvWyqp5L6UxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIA3jAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG
SIb3DQEJBTEPFw0wOTEyMTUxOTAyNTNaMCMGCSqGSIb3DQEJBDEWBBSTU4nWNFrszJ8/xLnI8XjJ
lWbCKjCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD
b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG
A1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAnEP
MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t
IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
BAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJxDzAN
BgkqhkiG9w0BAQEFAASCAQDmYMYbd1TSdwR0ylHMpP9h8Hhe6D2jLq6g5IGZCXBghWvTren3EBYy
0b90eVZGxvz1GS5ZQMEgZwVtXx01B2zuOc3kpJIOgPjr9c977y3WHOdjWHs67INIaweT0X/vGCMh
gsqWWKT6uPlkOAHaYFCV5s42yk37YfPvZTGZcwelJWLtqWsMtqCf9oBKgpENKLr0u/tBPOUNCJIB
83g0v1Vcj/Tf2hHPCtlXkJ2yuyNa4WTTWFpjJtnxsAZYOvwqHLKnDzXbbJFGhlnRjSp3nix/dM+L
GMGGurgcXwWqvw41tnvVskCxaMJahigABG+oMNX5Wjhvy3IuKcFPv87ivUyNAAAAAAAA

--Apple-Mail-182--871268642--