Re: [wss] Action Item 2005-08-23-01: Kerberos Token Profile and RFC1510 vsRFC 4120

[Anthony Nadalin <drsecure@us.ibm.com>]

Why should 1.1 senders be required to send it as 1.0 endpoints may choke if they get it

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
ronald monzillo <Ronald.Monzillo@Sun.COM>

ronald monzillo <Ronald.Monzillo@Sun.COM>

10/03/2005 01:20 PM

Please respond to
Ronald.Monzillo

To	Martin Gudgin <mgudgin@microsoft.com>
cc	Ronald.Monzillo@Sun.COM, wss@lists.oasis-open.org
Subject	Re: [wss] Action Item 2005-08-23-01: Kerberos Token Profile and RFC1510 vs RFC 4120

Martin Gudgin wrote On 10/03/05 08:17,:
>  
>
>
>>-----Original Message-----
>>From: ronald monzillo [mailto:Ronald.Monzillo@Sun.COM]
>>Sent: 20 September 2005 16:30
>>To: Martin Gudgin
>>Cc: Ronald.Monzillo@Sun.COM; wss@lists.oasis-open.org
>>Subject: Re: [wss] Action Item 2005-08-23-01: Kerberos Token
>>Profile and RFC1510 vs RFC 4120
>>
>>
>>
>>Martin Gudgin wrote On 09/20/05 10:42,:
>>
>>>Ron,
>>>
>>>Sorry, I've just found this... I think I agree that we need to say
>>>something about wsse11:TokenType.
>>>
>>>Regarding whether we define values for ValueType, I think
>>
>>it depends on
>>
>>>whether you think 1.1 token types can be used with WSS 1.0.  
>>>
>>
>>thanks - If necessary, I am OK with senders being required to specify
>>ValueType in addition to TokenType (for this profile)
>
>
> I think my point was that a 1.0 sender might want to use the Kerberos
> token. Such a sender would not know about wsse11:TokenType.

Gudge,


thanks for the clarification - I would prefer that the tokenType
attribute always be specified, but given that some receivers will not
see it even if it is sent, I accept that 1.0 implementations not be
required to send it.

If this is both a 1.0 and 1.1 profile, then it should spell out the
requirements in each context (of course it would be simpler to focus on 1.1)

e.g. 1.1 senders are required to set tokenType; 1.0 are not.

would you recommend that keyidentifier:valueType also be sent in either
context?

Since the uri values are just now being invented, is there an
opportunity to limit the use of these uri's to only within BST:ValueType?

Ron
>
> Gudge
>
>
>>Ron
>>
>>>Gudge
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Ron Monzillo [mailto:Ronald.Monzillo@Sun.COM]
>>>>Sent: 06 September 2005 09:16
>>>>To: Martin Gudgin
>>>>Cc: wss@lists.oasis-open.org
>>>>Subject: Re: [wss] Action Item 2005-08-23-01: Kerberos Token
>>>>Profile and RFC1510 vs RFC 4120
>>>>
>>>>Martin,
>>>>
>>>>Does the Krb5 token profile require that 1.1 message senders set the
>>>>wsse:TokenType attribute in STR values?
>>>>
>>>>Note that in lines 924 to 928 of the core we recommended that use of
>>>>the Reference:ValueType attribute to identify the type of a
>>
>>referenced
>>
>>>>token be discontinued (and that new profiles should employ
>>>>the TokenType
>>>>attribute for this purpose).
>>>>
>>>>we expect that this may be an evolutionary process, where for
>>>>some time,
>>>>the ValueType attribute may continue to be used in addition to the
>>>>TokenType attribute.
>>>>
>>>>Since the KrB5 profile is being standardized by 1.1, it would
>>>>seem that
>>>>we could do without specifying new values to be included in
>>
>>ValuType,
>>
>>>>and that these new token type identifying values could and should be
>>>>introduced as TokenType values.
>>>>
>>>>Ron
>>>>
>>>>
>>>>
>>>>Martin Gudgin wrote:
>>>>
>>>>
>>>>>Having surveyed the vast array of interop participants I
>>>>
>>>>believe we have
>>>>
>>>>
>>>>>two possible courses of action;
>>>>>
>>>>>
>>>>>1. Do nothing.
>>>>>
>>>>>2. Update the Kerberos Token Profile by making the following
>>>>>changes;
>>>>>
>>>>> a) Add a reference to RFC4120 to Section 5.
>>>>>
>>>>> b) Add 4 URIs to the table in Section 3.2 as follows
>>>>>
>>>>>URI:
>>>>>
>>>>
>>>>http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerber
>>>>os-token-p
>>>>
>>>>
>>>>>rofile-1.1#Kerberosv5_AP_REQ1510
>>>>>Description: Kerberos v5 AP-REQ as defined in RFC1510. This
>>>>
>>>>ValueType is
>>>>
>>>>
>>>>>used when the ticket is an AP Request per RFC1510
>>>>>
>>>>>URI:
>>>>>
>>>>
>>>>http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerber
>>>>os-token-p
>>>>
>>>>
>>>>>rofile-1.1#GSS_Kerberosv5_AP_REQ1510
>>>>>Description: A GSS wrapped Kerberos v5 AP-REQ as defined in
>>>>
>>>>the GSSAPI
>>>>
>>>>
>>>>>specification. This ValueType is used when the ticket is an
>>>>
>>>>AP Request
>>>>
>>>>
>>>>>(ST + Authenticator) per RFC1510.
>>>>>
>>>>>URI:
>>>>>
>>>>
>>>>http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerber
>>>>os-token-p
>>>>
>>>>
>>>>>rofile-1.1#Kerberosv5_AP_REQ4120
>>>>>Description: Kerberos v5 AP-REQ as defined in RFC4120. This
>>>>
>>>>ValueType is
>>>>
>>>>
>>>>>used when the ticket is an AP Request per RFC4120
>>>>>
>>>>>URI:
>>>>>
>>>>
>>>>http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerber
>>>>os-token-p
>>>>
>>>>
>>>>>rofile-1.1#GSS_Kerberosv5_AP_REQ4120
>>>>>Description: A GSS wrapped Kerberos v5 AP-REQ as defined in
>>>>
>>>>the GSSAPI
>>>>
>>>>
>>>>>specification. This ValueType is used when the ticket is an
>>>>
>>>>AP Request
>>>>
>>>>
>>>>>(ST + Authenticator) per RFC4120.
>>>>>
>>>>> c) Amend the descriptions of the first URI currently in Section
>>>>>3.2 as follows;
>>>>>
>>>>>URI:
>>>>>
>>>>
>>>>http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerber
>>>>os-token-p
>>>>
>>>>
>>>>>rofile-1.1#Kerberosv5_AP_REQ
>>>>>Description: Kerberos v5 AP-REQ as defined in either RFC1510 and
>>>>>RFC4120. This ValueType is used when the ticket is an AP Request.
>>>>>
>>>>>
>>>>>Regards
>>>>>
>>>>>Gudge
>>>>>
>>>>>
>>>>
>>>>------------------------------------------------------------
>>
>>---------
>>
>>>>>To unsubscribe from this mail list, you must leave the
>>
>>OASIS TC that
>>
>>>>>generates this mail.  You may a link to this group and all
>>>>
>>>>your TCs in OASIS
>>>>
>>>>
>>>>>at:
>>>>>
>>>>
>>>>https://www.oasis-open.org/apps/org/workgroup/portal/my_work
>>
>>groups.php
>>
>>>>--
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>---------------------------------------------------------------------
>>
>>>To unsubscribe from this mail list, you must leave the OASIS TC that
>>>generates this mail.  You may a link to this group and all
>>
>>your TCs in OASIS
>>
>>>at:
>>>
>>
>>https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>
>>--
>>
>>
>>

--



---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php