[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss] Action Item 2005-08-23-01: Kerberos Token Profile andRFC1510 vs RFC 4120
A 1.0 receivers should not choke if they get a new attribute; as the schema was defined for such extensibility. Anthony Nadalin wrote On 10/03/05 22:41,: > Why should 1.1 senders be required to send it as 1.0 endpoints may choke > if they get it > > Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122 > ronald monzillo <Ronald.Monzillo@Sun.COM> > > > * ronald monzillo <Ronald.Monzillo@Sun.COM> * > > 10/03/2005 01:20 PM > Please respond to > Ronald.Monzillo > > > > To > > Martin Gudgin <mgudgin@microsoft.com> > > cc > > Ronald.Monzillo@Sun.COM, wss@lists.oasis-open.org > > Subject > > Re: [wss] Action Item 2005-08-23-01: Kerberos Token Profile and RFC1510 > vs RFC 4120 > > > > > > > Martin Gudgin wrote On 10/03/05 08:17,: >> >> >> >>>-----Original Message----- >>>From: ronald monzillo [mailto:Ronald.Monzillo@Sun.COM] >>>Sent: 20 September 2005 16:30 >>>To: Martin Gudgin >>>Cc: Ronald.Monzillo@Sun.COM; wss@lists.oasis-open.org >>>Subject: Re: [wss] Action Item 2005-08-23-01: Kerberos Token >>>Profile and RFC1510 vs RFC 4120 >>> >>> >>> >>>Martin Gudgin wrote On 09/20/05 10:42,: >>> >>>>Ron, >>>> >>>>Sorry, I've just found this... I think I agree that we need to say >>>>something about wsse11:TokenType. >>>> >>>>Regarding whether we define values for ValueType, I think >>> >>>it depends on >>> >>>>whether you think 1.1 token types can be used with WSS 1.0. >>>> >>> >>>thanks - If necessary, I am OK with senders being required to specify >>>ValueType in addition to TokenType (for this profile) >> >> >> I think my point was that a 1.0 sender might want to use the Kerberos >> token. Such a sender would not know about wsse11:TokenType. > > Gudge, > > > thanks for the clarification - I would prefer that the tokenType > attribute always be specified, but given that some receivers will not > see it even if it is sent, I accept that 1.0 implementations not be > required to send it. > > If this is both a 1.0 and 1.1 profile, then it should spell out the > requirements in each context (of course it would be simpler to focus on 1.1) > > e.g. 1.1 senders are required to set tokenType; 1.0 are not. > > would you recommend that keyidentifier:valueType also be sent in either > context? > > Since the uri values are just now being invented, is there an > opportunity to limit the use of these uri's to only within BST:ValueType? > > Ron >> >> Gudge >> >> >>>Ron >>> >>>>Gudge >>>> >>>> >>>> >>>>>-----Original Message----- >>>>>From: Ron Monzillo [mailto:Ronald.Monzillo@Sun.COM] >>>>>Sent: 06 September 2005 09:16 >>>>>To: Martin Gudgin >>>>>Cc: wss@lists.oasis-open.org >>>>>Subject: Re: [wss] Action Item 2005-08-23-01: Kerberos Token >>>>>Profile and RFC1510 vs RFC 4120 >>>>> >>>>>Martin, >>>>> >>>>>Does the Krb5 token profile require that 1.1 message senders set the >>>>>wsse:TokenType attribute in STR values? >>>>> >>>>>Note that in lines 924 to 928 of the core we recommended that use of >>>>>the Reference:ValueType attribute to identify the type of a >>> >>>referenced >>> >>>>>token be discontinued (and that new profiles should employ >>>>>the TokenType >>>>>attribute for this purpose). >>>>> >>>>>we expect that this may be an evolutionary process, where for >>>>>some time, >>>>>the ValueType attribute may continue to be used in addition to the >>>>>TokenType attribute. >>>>> >>>>>Since the KrB5 profile is being standardized by 1.1, it would >>>>>seem that >>>>>we could do without specifying new values to be included in >>> >>>ValuType, >>> >>>>>and that these new token type identifying values could and should be >>>>>introduced as TokenType values. >>>>> >>>>>Ron >>>>> >>>>> >>>>> >>>>>Martin Gudgin wrote: >>>>> >>>>> >>>>>>Having surveyed the vast array of interop participants I >>>>> >>>>>believe we have >>>>> >>>>> >>>>>>two possible courses of action; >>>>>> >>>>>> >>>>>>1. Do nothing. >>>>>> >>>>>>2. Update the Kerberos Token Profile by making the following >>>>>>changes; >>>>>> >>>>>> a) Add a reference to RFC4120 to Section 5. >>>>>> >>>>>> b) Add 4 URIs to the table in Section 3.2 as follows >>>>>> >>>>>>URI: >>>>>> >>>>> >>>>>http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerber >>>>>os-token-p >>>>> >>>>> >>>>>>rofile-1.1#Kerberosv5_AP_REQ1510 >>>>>>Description: Kerberos v5 AP-REQ as defined in RFC1510. This >>>>> >>>>>ValueType is >>>>> >>>>> >>>>>>used when the ticket is an AP Request per RFC1510 >>>>>> >>>>>>URI: >>>>>> >>>>> >>>>>http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerber >>>>>os-token-p >>>>> >>>>> >>>>>>rofile-1.1#GSS_Kerberosv5_AP_REQ1510 >>>>>>Description: A GSS wrapped Kerberos v5 AP-REQ as defined in >>>>> >>>>>the GSSAPI >>>>> >>>>> >>>>>>specification. This ValueType is used when the ticket is an >>>>> >>>>>AP Request >>>>> >>>>> >>>>>>(ST + Authenticator) per RFC1510. >>>>>> >>>>>>URI: >>>>>> >>>>> >>>>>http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerber >>>>>os-token-p >>>>> >>>>> >>>>>>rofile-1.1#Kerberosv5_AP_REQ4120 >>>>>>Description: Kerberos v5 AP-REQ as defined in RFC4120. This >>>>> >>>>>ValueType is >>>>> >>>>> >>>>>>used when the ticket is an AP Request per RFC4120 >>>>>> >>>>>>URI: >>>>>> >>>>> >>>>>http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerber >>>>>os-token-p >>>>> >>>>> >>>>>>rofile-1.1#GSS_Kerberosv5_AP_REQ4120 >>>>>>Description: A GSS wrapped Kerberos v5 AP-REQ as defined in >>>>> >>>>>the GSSAPI >>>>> >>>>> >>>>>>specification. This ValueType is used when the ticket is an >>>>> >>>>>AP Request >>>>> >>>>> >>>>>>(ST + Authenticator) per RFC4120. >>>>>> >>>>>> c) Amend the descriptions of the first URI currently in Section >>>>>>3.2 as follows; >>>>>> >>>>>>URI: >>>>>> >>>>> >>>>>http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerber >>>>>os-token-p >>>>> >>>>> >>>>>>rofile-1.1#Kerberosv5_AP_REQ >>>>>>Description: Kerberos v5 AP-REQ as defined in either RFC1510 and >>>>>>RFC4120. This ValueType is used when the ticket is an AP Request. >>>>>> >>>>>> >>>>>>Regards >>>>>> >>>>>>Gudge >>>>>> >>>>>> >>>>> >>>>>------------------------------------------------------------ >>> >>>--------- >>> >>>>>>To unsubscribe from this mail list, you must leave the >>> >>>OASIS TC that >>> >>>>>>generates this mail. You may a link to this group and all >>>>> >>>>>your TCs in OASIS >>>>> >>>>> >>>>>>at: >>>>>> >>>>> >>>>>https://www.oasis-open.org/apps/org/workgroup/portal/my_work >>> >>>groups.php >>> >>>>>-- >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>--------------------------------------------------------------------- >>> >>>>To unsubscribe from this mail list, you must leave the OASIS TC that >>>>generates this mail. You may a link to this group and all >>> >>>your TCs in OASIS >>> >>>>at: >>>> >>> >>>https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >>> >>>-- >>> >>> >>> > > -- > > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > --
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]