[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [wss] What is a "Security Token"
-----Original Message-----
From: Jerry Schwarz [mailto:jerry.schwarz@oracle.com]
Sent: Thursday, February 20, 2003 9:21 PM
To: wss@lists.oasis-open.org
Subject: [wss] What is a "Security Token"
This note discusses the use of the phrase "Security Token" within the core document. I have found it confusing and propose eliminating it.
The current draft (and I believe all earlier ones) defines "Security Token" as[209]
"A security token represents a collection of one or more claims".
And defines a claim as [188]
"A claim is a declaration made by an entity"
This language is confusing within the context of signatures. Section 8 [741] says "An XML Digital Signature can be used to bind a claim ...." which suggests, although it doesn't come out and say it, that the signature is not itself a claim
Consider this in the context of example 2.4 [274] which contains a <wsse:UserName> element and a signature. The <UserName> element does not contain a digest. The commentary says [274] "the username token containing a claimed security identity". But an identity is not a declaration. The claim in the example is carried by the signature. It is something like
I believe that the important concept is direct subelement of a <Security> element and that the semantics of that element should not be assumed to be a security token. I propose to call this a "security information element", or S-element for short and to replace "security token" with the phrase throughout the document.
- The entity identified in the <UserName> element has made a request for the stock information contained in the SOAP body.
If this is agreed to I'll propose detailed edits.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC