[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: issue i010 Proof of possesion for security intermediaries
My main concern in this issue is that security intermediaries[1] and applications both have equal status when interacting with a STS. By equal status, I mean the following: (1) when an application interacts with a STS, it can convey an arbitrary security context via a <wss:security> header in the SOAP envelope of a STR. While the specification never clarifies what information the STS needs to extract from such a header, presumably the idea is that all the required security information about the identity bound to the application (tokens, proof-of-possession, claims, etc) is available from the security header. (2) Now consider the case where the application has been replaced by a security intermediary which acts on a behalf of a set of applications. The RST message now carries the intermediaries security information and the application security context is restricted to the On-Behalf-Of parameter (Section 9.1, lines 1711-1715, ws-sx-spec-draft-v1-r0-ws-trust). [CurrentText] /wst:RequestSecurityToken/wst:OnBehalfOf This optional element indicates that the requestor is making the request on behalf of another. The identity on whose behalf the request is being made is specified by placing a security token, <wsse:SecurityTokenReference> element, or <wsa:EndpointReference> element within the <wst:OnBehalfOf> element. [\CurrentText] I would argue this approach does not treat intermediaries as application equals, as contents of OnBehalfOf are restricted to <wsse:SecurityTokenReference> or a security token. I would propose that the text be replaced by: [ProposedText] /wst:RequestSecurityToken/wst:OnBehalfOf This optional element indicates that the requestor is making the request on behalf of another. The identity on whose behalf the request is being made is specified by placing a security header, <wsse:Security> element, or <wsa:EndpointReference> element within the <wst:OnBehalfOf> element. [\ProposedText] --------------------------------------------------------------------------- REFERENCES: [1] John Linn, Active Intermediaries in Web Service and E-Commerce Environments, DIMACS Workshop on Security of Web Services, May 2005. http://dimacs.rutgers.edu/Workshops/Commerce/slides/linn.ppt
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]