OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: issue i010 Proof of possesion for security intermediaries

My main concern in this issue is that security intermediaries[1] and 
applications both have equal status
when interacting with a STS.

By equal status, I mean the following:

(1) when an application interacts with a STS, it can convey an arbitrary 
security context via a
<wss:security> header in the SOAP envelope of a STR. While the 
specification never clarifies
what information the STS needs to extract from such a header, presumably 
the idea is that all
the required security information about the identity bound to the 
application (tokens, proof-of-possession, claims, etc)
is available from the security header.

(2) Now consider the case where the application has been replaced by a 
security intermediary
which acts on a behalf of a set of applications. The RST message now 
carries the intermediaries
security information and the application security context is restricted 
to the On-Behalf-Of parameter
(Section 9.1, lines 1711-1715, ws-sx-spec-draft-v1-r0-ws-trust).

[CurrentText]
/wst:RequestSecurityToken/wst:OnBehalfOf
This optional element indicates that the requestor is making the request 
on behalf of another.
The identity on whose behalf the request is being made is specified by 
placing a security token,
<wsse:SecurityTokenReference> element, or <wsa:EndpointReference> element
within the <wst:OnBehalfOf> element.
[\CurrentText]

I would argue this approach does not treat intermediaries as application 
equals, as contents of
OnBehalfOf are restricted to <wsse:SecurityTokenReference> or a security 
token.

I would propose that the text be replaced by:

[ProposedText]
/wst:RequestSecurityToken/wst:OnBehalfOf
This optional element indicates that the requestor is making the request 
on behalf of another.
The identity on whose behalf the request is being made is specified by 
placing a security header,
<wsse:Security> element, or <wsa:EndpointReference> element
within the <wst:OnBehalfOf> element.
[\ProposedText]

---------------------------------------------------------------------------
REFERENCES:
[1] John Linn,
Active Intermediaries in Web Service and E-Commerce Environments,
DIMACS Workshop on Security of Web Services, May 2005.

http://dimacs.rutgers.edu/Workshops/Commerce/slides/linn.ppt

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]