[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx] Issue 74: add <EncryptSupportingToken> element to Sections 7.4 and 7.5
Prateek and I briefly discussed an alternative proposal for solving this issue, namely defining some additional types of SupportingToken assertion; We'd need three new assertions; SignedEncryptedSupportingTokens EndorsingEncryptedSupportingTokens SignedEndorsingSupportingTokens This approach would allow one to select encryption for some tokens and not others rather than a blanket setting for all supporting tokens. We might also need EncyptedSupportingTokens but I'm not sure of the value of including a supporting token that can just be removed by an attacker. Specific spec text; After line 2088 add three sections as follows; 8.5 SignedEncryptedSupportingTokens Assertion Signed, encrypted supporting tokens are Signed supporting tokens (See section 8.2) that are also encrypted when they appear in the wsse:SecurityHeader. The syntax for the sp:SignedEncryptedSupportingTokens differs from the syntax of sp:SignedSupportingTokens only in the name of the assertion itself. All nested policy is as per the sp:SignedSupportingTokens assertion. 8.6 EndorsingEncryptedSupportingTokens Assertion Endorsing, encrypted supporting tokens are Endorsing supporting tokens (See section 8.3) that are also encrypted when they appear in the wsse:SecurityHeader. The syntax for the sp:EndorsingEncryptedSupportingTokens differs from the syntax of sp:EndorsingSupportingTokens only in the name of the assertion itself. All nested policy is as per the sp:EndorsingSupportingTokens assertion. 8.7 SignedEndorsingEncryptedSupportingTokens Assertion Signed, endorsing, encrypted supporting tokens are signed, endorsing supporting tokens (See section 8.4) that are also encrypted when they appear in the wsse:SecurityHeader. The syntax for the sp:SignedEndorsingEncryptedSupportingTokens differs from the syntax of sp:SignedEndorsingSupportingTokens only in the name of the assertion itself. All nested policy is as per the sp:SignedEndorsingSupportingTokens assertion. Renumber section 8.5 -> 8.8 Renumber section 8.6 -> 8.9 Regards Gudge > -----Original Message----- > From: Marc Goodner [mailto:mgoodner@microsoft.com] > Sent: 06 June 2006 06:59 > To: Prateek Mishra; ws-sx@lists.oasis-open.org > Subject: [ws-sx] Issue 74: add <EncryptSupportingToken> > element to Sections 7.4 and 7.5 > > Logged as issue 74. > > -----Original Message----- > From: Prateek Mishra [mailto:prateek.mishra@oracle.com] > Sent: Monday, June 05, 2006 2:27 PM > To: ws-sx@lists.oasis-open.org > Cc: Marc Goodner > Subject: NEW Issue: add <EncryptSupportingToken> element to > Sections 7.4 > and 7.5 > > > > *PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL > THE ISSUE IS ASSIGNED A NUMBER. * > > *The issues coordinators will notify the list when that has occurred.* > > * * > > Protocol: ws-sp > > ws-securitypolicy-1.2-spec-ed-01 > > Artifact: spec > > Type: > > <>design > > > Title: > > add <EncryptSupportingToken> element to Sections 7.4 and 7.5 > > > > Description: > > There are many security contexts in which supporting tokens in > (a)symmteric bindings are required to be encrypted. Typically, the > supporting token is a username, saml or proprietary token but other > possibilities also exist. This note proposes the addition of an > <EncryptSupportingToken> element to symm. and asymm. bindings within > ws-sp. > > > > Related issues: > > > > > Proposed Resolution: > > (1) Add at end of Section 6: > > Section 6.8 [Encrypt Supporting Token] Property > > This boolean property specifies whether any supporting tokens > found in > the security > header are encrypted. If the value is > 'true', then all supporting tokens MUST in the inbound and outbound > messages must be encrypted. > If the value is 'false', then supporting tokens in the inbound or > outbound messages MUST NOT be > encrypted. The default value for this property is false. > > (2) Add after line 1739 > > > /sp:SymmetricBinding/wsp:Policy/sp:EncryptSupportingToken > This assertion indicates that the [Entire Supporting Token] > property is > set to 'true'. > > (3) Add after line 1945 > > /sp:AsymmetricBinding/wsp:Policy/sp:EncryptSupportingToken > This assertion indicates that the [Entire Supporting Token] > property is > set to 'true'. > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]