OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [wss] What is a "Security Token"

I agree that the current spec is broken. I suspect we need two collective terms: one for all the different kinds of elements that can go in a Security Header and one for things that contain claims.
 
However, I think you are misinterpreting the idea of a claim. Saying "Joe is an Admin" or "this is the public key of an authorized purchaing agent of GM" are claims. These are gathered into Tokens and signed by an Authority that asserts them to be facts.
 
What the signature does is not make a claim, but bind the claim to a message allowing us to verify that the claims apply to the orginator of some message. I think this is a reasonable distinction which we should preserve, but I agree it would be useful to have a term that encompasses the superset.
 
Hal
-----Original Message-----
From: Jerry Schwarz [mailto:jerry.schwarz@oracle.com]
Sent: Thursday, February 20, 2003 9:21 PM
To: wss@lists.oasis-open.org
Subject: [wss] What is a "Security Token"


This note discusses the use of the phrase "Security Token" within the core document. I have found it confusing and propose eliminating it.

The current draft (and I believe all earlier ones) defines "Security Token" as[209]

   "A security token represents a collection of one or more claims".

And defines a claim as [188]

   "A claim is a declaration made by an entity"

This language is confusing within the context of signatures.  Section 8 [741] says "An XML Digital Signature can be used to bind a claim ...." which suggests, although it doesn't come out and say it, that the signature is not itself a claim

Consider this in the context of example 2.4 [274] which contains a <wsse:UserName> element and a signature.  The <UserName> element does not contain a digest.  The commentary says [274] "the username token containing a claimed security identity".  But an identity is not a declaration.  The claim in the example is carried by the signature.  It is something like
The entity identified in the <UserName> element has made a request for the stock information contained in the SOAP body.

I believe that the important concept is direct subelement of a <Security> element and that the semantics of that element should not be assumed to be a security token.  I propose to call this a "security information element", or S-element for short and to replace "security token" with the phrase throughout the document.

If this is agreed to I'll propose detailed edits.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC