OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] New Issue: AssertionID/ WSS Direct referencecompatability


There already is such an envelope in WSS
but it's use (which causes in-lining) would preclude efficiencies
where the same on msg token is used in multiple security opertaions
on the msg (i.e. as the KeyInfo of two signatures)

<wsse:Security>
<wsse:STR>
<wsse:Embedded>
    <saml:Asssertion ID="bar">...</saml:Assertion>
</wsse:Embedded>
<wsse:STR>
</wsse:Security>
 
Gary Ellison and I once discussed the possibility of using the
wsse:Embedded element (which if used as such would then be
mis-named) as generic token wrapper, but that approach has
yet to be adopted in any WSS profile.

I would prefer that SAML anticipate changes that are at least being
considered in the space of XML identifier attributes.

Paul Cotton, sent the following references to the WSS TC. I don't
claim to completely understand their content, but it seems that
the ability to recognize identifier attributes without the schema
is a problem that is getting some attention, and that we should
consider making the SAML 2.0 schema compatible with the inclusion
of an externally defined identifier attribute.

http://www.w3.org/TR/2004/WD-xml-id-20040407/
http://www.w3.org/2001/tag/issues.html?type=1#xmlIDSemantics-32 


Ron

> Couldn't such an envelope be defined within WSS itself, where the 
> wsu:Id attribute is defined?
>
> - JohnK
>
> ext Greg Whitehead wrote:
>
>> Can we sidestep this issue by defining an envelope to use in 
>> combination with the STP?
>>
>> In other words:
>>
>> <wsse:Security>
>>   <saml:AssertionEnvelope wsu:id="foo">
>>     <saml:Asssertion ID="bar">...</saml:Assertion>
>>   </saml:AssertionEnvelope>
>> </wsse:Security>
>>
>> -Greg
>>
>>
>> To unsubscribe from this mailing list (and be removed from the roster 
>> of the OASIS TC), go to 
>> http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php. 
>>
>>
>>
>
>
> To unsubscribe from this mailing list (and be removed from the roster 
> of the OASIS TC), go to 
> http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php. 
>
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]