OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] New Issue: AssertionID/ WSS Direct referencecompatability

Greg Whitehead wrote:

> On Jul 13, 2004, at 3:07 PM, Ron Monzillo wrote:
>> There already is such an envelope in WSS
>> but it's use (which causes in-lining) would preclude efficiencies
>> where the same on msg token is used in multiple security opertaions
>> on the msg (i.e. as the KeyInfo of two signatures)
> The Embedded wrapper is different than what I am proposing -- as you 
> point out, the Embedded wrapper precludes multiple use. What I am 
> proposing is a wrapper that can carry the wsu:Id attribute without 
> creating problems with our own schema, or requiring assertion 
> generators to know a-priori how an assertion will be transported.

I am not a fan of the token wrapping approach, but let me clarify
what I wrote in my previous msg.

WSS already has an STR that can carry an embedded token.
Tokens are embedded in this STR by encapsulating them in an
internal to the STR element called "Embedded".

WSS does not define the use of the "Embedded" element
outside of an STR, and the "Embedded" element would need a
bit of a tuneup to be completely useful as a standalone XML token wrapper.

It is the use of an STR that carries an embedded token that precludes
multiple use of the same instance of the token. Fleshing out the 
semantics of
the "Embedded" element  (and likely renaming it) to serve as a sort of 
token wrapper is what I was describing as the logical place to evolve token
wrapping functionality in WSS.

I think wrapping SHOULD only be necessary for encoded tokens and for
tokens that do not have an identifier attribute. Neither of these concerns
apply to SAML assertions.

The resolution to restrict which id's can be used in a local direct
reference is inspiring convergence on a common but temporary id name, which
itself likely will either need to change in the future, or will become 
unnecessary along
with any encapsulation required to sustain it.

Despite my view that the WSS core should consolidiate on one simpler,
more complete, and  better understood token wrapping mechanism, I do NOT 
that profiles of security tokens that do not suffer from either of
the concerns listed above should advocate the use of wrapping mechanisms to
in lieu of being able to use native identfiers in local direct references.

The short term work-around for that problem is to use a KeyIdentifier, 
the solution may be to evolve both WSS and the token schema ids to match 
the outcome
of the xml:id activity (which will not require encapsulation).


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]