[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] New Issue: AssertionID/ WSS Direct referencecompatability
There already is such an envelope in WSS but it's use (which causes in-lining) would preclude efficiencies where the same on msg token is used in multiple security opertaions on the msg (i.e. as the KeyInfo of two signatures) <wsse:Security> <wsse:STR> <wsse:Embedded> <saml:Asssertion ID="bar">...</saml:Assertion> </wsse:Embedded> <wsse:STR> </wsse:Security> Gary Ellison and I once discussed the possibility of using the wsse:Embedded element (which if used as such would then be mis-named) as generic token wrapper, but that approach has yet to be adopted in any WSS profile. I would prefer that SAML anticipate changes that are at least being considered in the space of XML identifier attributes. Paul Cotton, sent the following references to the WSS TC. I don't claim to completely understand their content, but it seems that the ability to recognize identifier attributes without the schema is a problem that is getting some attention, and that we should consider making the SAML 2.0 schema compatible with the inclusion of an externally defined identifier attribute. http://www.w3.org/TR/2004/WD-xml-id-20040407/ http://www.w3.org/2001/tag/issues.html?type=1#xmlIDSemantics-32 Ron > Couldn't such an envelope be defined within WSS itself, where the > wsu:Id attribute is defined? > > - JohnK > > ext Greg Whitehead wrote: > >> Can we sidestep this issue by defining an envelope to use in >> combination with the STP? >> >> In other words: >> >> <wsse:Security> >> <saml:AssertionEnvelope wsu:id="foo"> >> <saml:Asssertion ID="bar">...</saml:Assertion> >> </saml:AssertionEnvelope> >> </wsse:Security> >> >> -Greg >> >> >> To unsubscribe from this mailing list (and be removed from the roster >> of the OASIS TC), go to >> http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php. >> >> >> > > > To unsubscribe from this mailing list (and be removed from the roster > of the OASIS TC), go to > http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php. > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]