[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx] Issue 001 - Revocation versus cancellation of security tokens
|
This has been added
to the issue list as issue 1. http://docs.oasis-open.org/ws-sx/issues/Issues.xml#i001
From: de Boer, Martijn
[mailto:martijn.de.boer@sap.com] The specification is not clear in the difference between
revocation and canceling a security token. Assume the following scenario: A WS consumer requests a token from a STS and includes the
token in a SOAP message sent to the WS provider. Now the WS consumer may cancel
the token at any point of time. The specification does not state the
consequences of canceling a token. During our discussion, we came to following clarification: The cancel operation is a purely local operation on the STS.
After canceling a token, a STS MUST not validate or renew the token. A STS MAY
initiate the revocation of a token, however, revocation is out of scope of this
specification and a client MUST not rely on it. I’d suggest the following wording for clarification for
“chapter 8: Cancel Binding”: Cancel – When a previously
issued token is no longer needed, the Cancel binding can be used to cancel the
token. After canceling a token at the issuer, a
STS MUST not validate or renew the token. A STS MAY initiate the revocation of
a token, however, revocation is out of scope of this specification and a client
MUST not rely on it. If a client needs to
ensure the validity of a token, it must validate the token at the issuer. Regards, Martijn de Boer |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]