[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: follow-up on i010
Reading the minutes from the last call, i was asked to provide an example to clarify my point. Consider a case where we have a <wsse:security> header with multiple tokens involved; a username token which names a user ("joe"), X.509 token (i guess this is called a supporting token) and a signature over the user-name-token and body (based on the X.509 token). Now, an application can present this entire security header to STS. The STS can make judgements based on both the X.509 token and the user-name token ("aha, this is a message from Joe signed by the finance server") placing whatever interpretation it chooses to w.r.t this header. But the intermediary cannot provide equivalent information; if we imagine an intermediary acting on behalf of the application. As currently stated in section 11.1, the intermediary can only provide a security token, a STR or an end-point-reference. My suggestion is to expand this list to include <wsse:security> headers as well. - prateek
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]