[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: follow-up on i010
Reading the minutes from the last call, i was asked to provide an
example to clarify my point.
Consider a case where we have a <wsse:security> header with multiple
tokens involved; a
username token which names a user ("joe"), X.509 token (i guess this is
called a supporting
token) and a signature over the user-name-token and body (based on the
X.509 token).
Now, an application can present this entire security header to STS. The
STS can make judgements
based on both the X.509 token and the user-name token ("aha, this is a
message from Joe signed
by the finance server") placing whatever interpretation it chooses to
w.r.t this header.
But the intermediary cannot provide equivalent information; if we
imagine an intermediary acting on behalf of
the application. As currently stated in section 11.1, the intermediary
can only provide a security token,
a STR or an end-point-reference. My suggestion is to expand this list to
include <wsse:security>
headers as well.
- prateek
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]