OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [ws-sx] issue 003: use of the term binding in SecurityPolicy


Prateek,

Thanks for sending this. 

Regarding Security Binding Property, I note that the title of Section 6
(line 1242) is 'Security Binding Properties'.

Regarding Security Binding Property Assertion, I note that several
assertions in section 7 indicate that they set property values, e.g
lines 1514, 1517, 1584, 1587, 1590, 1592, 1594, 1596, 1598 et.al.

Regarding the proposed change at line 228, I think this change is OK,
although I'm not certain quite how it differs materially from the
existing text. Please could you clarify what it is you think is allowed
and/or precluded by your proposed text vs the existing text?

Regarding the proposed change at line 229, I believe an encrypted key
token from WSS 1.1 would be such a mechanism. For example, Symmetric
binding with an X509TOken as the [Protection Token].

Regarding the proposed change at line 230, did you mean add 'in the
wsse:Security header'? If not, I don't think I understand the proposed
change.

Regarding the proposed change at line 233, I'm inclined to agree as the
signature confirmation aspect of an exchange is covered by the WSS11
assertion.

Regarding the proposed additional text, would 'canonicalization' be
better than 'normalization'?

Cheers

Gudge
 

> -----Original Message-----
> From: Prateek Mishra [mailto:prateek.mishra@oracle.com] 
> Sent: 27 January 2006 18:46
> To: ws-sx@lists.oasis-open.org
> Subject: [ws-sx] issue 003: use of the term binding in SecurityPolicy
> 
> At the F2F, I had asked a question about the use of term security 
> binding in Security Policy
> and as to what was intended by use of this term. My comments here are 
> limited to this issue.
> 
> The policy document does include a definition for this term 
> in Section 
> 1.4, 2.3 (definition
> at an abstract level) and a more precise definition for 
> security binding 
> assertion in Section 7.
> 
> (1) The terms Security Binding Property and Security Binding Property 
> Assertion are defined in lines 76 and 79-80
> but not otherwise used elsewhere. I would suggest these terms 
> be removed.
> 
> (2) proposed changes to Security Binding defiinition (Section 2.3)
> 
> lines 227 - 234 provide a detailed definition of binding. I would 
> propose the following changes:
> 
> line 228: replace by "The set of acceptable tokens and the means of 
> their binding to messages"
> 
> line 229:  I dont see any "key transfer" mechanisms described 
> in any of 
> the bindings. In any case, I dont
> understand what "key transfer" means and it isn't listed in 
> my copy of 
> the handbook of applied crypto.
> 
> line 230: Add "in the SOAP header"
> 
> line 233: Delete. I dont believe any of the bindings 
> described in this 
> document provide this facility.
> 
> Add new line: Various parameters, including those describing the 
> algorithms to be used for normalization, signing and encryption.
> 
> --------------------------------------------------------------
> -----------------
> prateek
> 
> 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]