Re: [soa-rm-ra] WS Trust

[Danny Thornton <danny_thornton2@yahoo.com>]

Hi Duane,

Can you abstract the WS out and add that to the
security section?  The SOA reference architecture
should be equally valid for a non WS environment. 
There are many development environments, particularly
in the real time world, that can be service oriented
but not WS based.  

Danny


--- Ken Laskey <klaskey@mitre.org> wrote:

> OK, how does this work with the PDP and PEP ala
> XACML?
> 
> Ken
> 
> On Dec 7, 2006, at 1:06 PM, Chiusano, Joseph wrote:
> 
> > In case it helps, here is an excerpt from a March
> 2003 article that  
> > I wrote on WS-Trust - though the spec has changed
> since then, I  
> > think if you look at the description I provided
> below, most if not  
> > all of the concepts can be applied to the figure
> that Duane  
> > provided. The figure below is my own, as there was
> no such figure  
> > in WS-Trust at the time.
> >
> > Joe
> >
> > P.S. My other choice was to send you a very short
> block of Word Art  
> > with the word "voiceover".;)
> >
> > Managing Trust Relationships: WS-Trust
> >
> > All of the concepts discussed to this point are
> highly important,  
> > but they cannot be useful unless there is a trust
> relationship  
> > between two parties. This is the focus of WS-Trust
> specification,  
> > released in December by 2002 by Microsoft, IBM,
> Verisign, and RSA  
> > Security.
> >
> > Trust Engine/Security Token Service
> >
> > WS-Trust introduces the notion of a trust engine,
> a conceptual  
> > component of a Web service that evaluates the
> security-related  
> > aspects of a message. A trust engine verifies
> that:
> >
> > The claims in a security token are sufficient to
> comply with the  
> > policy and that the message conforms to the
> policy.
> > The attributes of the claimant are proven by the
> signatures.
> > The issuers of the security tokens are trusted to
> issue the claims  
> > they have made.
> > For example, if a policy stated that only Kerberos
> tickets were  
> > accepted as a security token, the trust engine of
> a Web service  
> > would enforce this requirement for all incoming
> messages. The WS- 
> > Trust specification also introduces the notion of
> a security token  
> > service that issues security tokens based on
> trust, similar to a  
> > certificate authority (CA).
> >
> > The figure below depicts a "sender" and "receiver"
> Web service,  
> > each with its own trust engine. A security token
> service is also  
> > depicted, from which the sender Web service will
> request a security  
> > token to be used for its interaction with the
> receiver Web service.  
> > The sender Web service can request a security
> token based on the  
> > receiver Web service's policies, using the
> mechanisms described  
> > earlier in this article. The sender Web service
> will use its trust  
> > engine to authenticate the security token service,
> while the  
> > receiver Web service will use its trust engine to
> authenticate the  
> > sender Web service.
> >
> >
> >
> > XML Example: Security Token Request/Response
> >
> > The following example demonstrates a request for a
> security token  
> > (X.509 certificate), and the response with the
> certificate. The  
> > <wsse:BinarySecurityToken> was seen earlier in the
> description of  
> > the WS-Security specification.
> >
> > <wsse:RequestSecurityToken>
> >   <wsse:TokenType>wsse:X509v3</wsse:TokenType>
> >  
> <wsse:RequestType>wsse:ReqIssue</wsse:RequestType>
> > </wsse:RequestSecurityToken>
> >
> > <wsse:RequestSecurityTokenResponse>
> >   <wsse:RequestedSecurityToken>
> >     <BinarySecurityToken ValueType="wsse:X509v3"
> >                         
> EncodingType="wsse:Base64Binary">
> >                         
> MIIEZzCCA9CgAwIBAgIQEmtJZc0...
> >     </BinarySecurityToken>
> >   </wsse:RequestedSecurityToken>
> > </wsse:RequestSecurityTokenResponse>
> > In the above example, the <wsse:RequestType>
> element value of  
> > "ReqIssue" denotes the issuance of a security
> token. Other valid  
> > values are "ReqValidate" (validate security token)
> and  
> > "ReqExchange" (exchange security token).
> >
> > Challenges
> >
> > In some cases, a security token service may choose
> to challenge the  
> > requestor of a security token. For example, this
> may occur if the  
> > security token service does not trust the nonce
> and timestamp (for  
> > example, the freshness) in the message. Or, the
> security token  
> > service may challenge the signature within the
> message. Challenge  
> > requests and responses are issued by specifying
> challenge and  
> > response elements within a
> <wsse:RequestSecurityTokenResponse>  
> > element, in a negotiation-type scenario.
> >
> > XML Example: Signature Challenge
> >
> > Signature challenges are processed using the
> <wsse:SignChallenge>  
> > element, as shown in the following example:
> >
> > <wsse:SignChallenge>
> >   <wsse:Challenge>Describes the message parts to
> be
> >                   signed...</wsse:Challenge>
> >  
>
<wsse:SecurityTokenReference>...</wsse:SecurityTokenReference>
> > </wsse:SignChallenge>
> > The <wsse:Challenge> element in the above example
> uses one of two  
> > possible mechanisms to describe the message parts
> to be signed:  
> > either an XPath expression, or one of several
> "message part  
> > selection functions" that are defined in the
> WS-PolicyAssertions  
> > specification. The <wsse:SecurityTokenReference>
> element is used to  
> > reference security tokens that are passed as part
> of the  
> > negotiation process. Once the sender receives this
> challenge, they  
> > would normally create a new signature that
> includes the specified  
> > message parts and return the new signature in a  
> > <wsse:SignChallengeResponse> element.
> >
> > Specification Location
> >
> > The WS-Trust specification can be found at http://
> 
> > msdn.microsoft.com/ws/2002/12/ws-trust.
> >
> >
> > Joseph Chiusano
> > Associate
> >
> > Booz | Allen | Hamilton
> > 700 13th St. NW, Suite 1100
> > Washington, DC 20005
> > O: 202-508-6514
> > C: 202-251-0731
> > Visit us online@ http://www.boozallen.com
> >
> >
> > From: Ken Laskey [mailto:klaskey@mitre.org]
> > Sent: Thursday, December 07, 2006 12:54 PM
> > To: Duane Nickull
> > Cc: soa-rm-ra@lists.oasis-open.org
> > Subject: Re: [soa-rm-ra] WS Trust
> >
> > A short voiceover?
> >
> > On Dec 7, 2006, at 12:44 PM, Duane Nickull wrote:
> >
> 
=== message truncated ===



 
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com