[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [ws-sx] New Issue: InlcudeToken Policy Assertion Parameters andalternatives
PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER. The issues coordinators will notify the list when that has occurred. *Protocol:* ws-securitypolicy _http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/21362/ws-secureconversation-1.3-spec-cs-01.pdf_ _http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/23821/ws-securitypolicy-1.2-spec-cs.pdf_ *Artifact:* spec *Type:* spec *Title:* Policy Assertion Parameters and alternatives *Description:* As we know WS Policy does not use Policy Assertion parameters when intersecting Policy Assertions. IMO this would impact WS Security Policy to certain extent. eg: Alternative A ------------------------------- <sp:AsymmetricBinding > <wsp:Policy> <sp:InitiatorToken > <sp:X509Token sp:IncludeToken = ".....Never"> <wsp:Policy> <sp:RequireDerivedKeys ... /> <sp:RequireKeyIdentifierReference ... /> </wsp:Policy> </sp:X509Token> </sp:InitiatorToken > <sp:RecipientToken > <sp:X509Token sp:IncludeToken = ".......Never"> <wsp:Policy> <sp:RequireDerivedKeys ... /> <sp:RequireKeyIdentifierReference ... /> </wsp:Policy> </sp:X509Token> </sp:RecipientToken > </wsp:Policy> </sp:AsymmetricBinding > Alternative B ------------------------------- <sp:AsymmetricBinding > <wsp:Policy> <sp:InitiatorToken > <sp:X509Token sp:IncludeToken = "......Always"> <wsp:Policy> <sp:RequireDerivedKeys ... /> <sp:RequireKeyIdentifierReference ... /> </wsp:Policy> </sp:X509Token> </sp:InitiatorToken > <sp:RecipientToken > <sp:X509Token sp:IncludeToken = "......Always"> <wsp:Policy> <sp:RequireDerivedKeys ... /> <sp:RequireKeyIdentifierReference ... /> </wsp:Policy> </sp:X509Token> </sp:RecipientToken > </wsp:Policy> </sp:AsymmetricBinding > When intersected with the default algorithm of the policy framework the resulting policy would contain mutually contradictory X509Token parameters. On one hand, the resulting policy would require never to include X509Tokens while at the same time always requiring to include X509Tokens. The intersection result would effectively yield an invalid policy. Regards, Venu
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]