OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [ws-sx] New Issue: InlcudeToken Policy Assertion Parameters andalternatives

PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL 
THE ISSUE IS ASSIGNED A NUMBER.
The issues coordinators will notify the list when that has occurred.
*Protocol:* ws-securitypolicy
_http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/21362/ws-secureconversation-1.3-spec-cs-01.pdf_ 

_http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/23821/ws-securitypolicy-1.2-spec-cs.pdf_ 

*Artifact:* spec
*Type:* spec
*Title:*  Policy Assertion Parameters and alternatives
*Description:*

As we know WS Policy does not use Policy Assertion parameters when  
intersecting Policy Assertions. IMO this would impact WS Security Policy 
to certain extent.
eg:

Alternative A
-------------------------------
<sp:AsymmetricBinding >
<wsp:Policy>
   <sp:InitiatorToken >
       <sp:X509Token sp:IncludeToken = ".....Never">
             <wsp:Policy>
                    <sp:RequireDerivedKeys ... />
                              <sp:RequireKeyIdentifierReference ... />
            </wsp:Policy>
     </sp:X509Token>
   </sp:InitiatorToken >

   <sp:RecipientToken >
       <sp:X509Token sp:IncludeToken = ".......Never">
             <wsp:Policy>
                    <sp:RequireDerivedKeys ... />
                   <sp:RequireKeyIdentifierReference ... />
            </wsp:Policy>
     </sp:X509Token>
   </sp:RecipientToken >

</wsp:Policy>
</sp:AsymmetricBinding >


Alternative B
-------------------------------
<sp:AsymmetricBinding >
<wsp:Policy>
   <sp:InitiatorToken >
       <sp:X509Token sp:IncludeToken = "......Always">
             <wsp:Policy>
                    <sp:RequireDerivedKeys ... />
                              <sp:RequireKeyIdentifierReference ... />
            </wsp:Policy>
     </sp:X509Token>
   </sp:InitiatorToken >

   <sp:RecipientToken >
       <sp:X509Token sp:IncludeToken = "......Always">
             <wsp:Policy>
                    <sp:RequireDerivedKeys ... />
                   <sp:RequireKeyIdentifierReference ... />
            </wsp:Policy>
     </sp:X509Token>
   </sp:RecipientToken >

</wsp:Policy>
</sp:AsymmetricBinding >



When intersected with the default algorithm of the policy framework the 
resulting policy would contain mutually contradictory X509Token 
parameters. On one hand, the resulting policy would require never to 
include X509Tokens while at the same time always requiring to include 
X509Tokens. The intersection result would effectively yield an invalid 
policy.


Regards,
Venu

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]