[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: NEW Issue: When to include a token?
PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER. The issues coordinators will notify the list when that has occurred. Protocol: ws-sp ws-securitypolicy-1.2-spec-ed-01-r03-diff.pdf Artifact: spec Type: design Title: When to include a token? Description: Using token inclusion values (chap 5.1.1) one can specify when to include a token. On the other hand in chap 5.3.3 X509Token Assertion there are ways defined how to reference a X509 token. For example if "RequireIssuerSerialReference" is set and the inclusion value is "always": shall the token be included in the message? Which token shall the receipient take - the included one or the referenced? With respect to the WS Security specification I interpret the inclusion value "always*" or "once" without any additional "Require*" assertion as "include the token as a BinarySecurityToken and reference it using a Reference in the SecruityTokenReference". Is this a correct interpretation? Also, with respect to WSS how to interpret or act on the RequireEmbeddedRefernce assertion? WSS does not specify an "embedded" mechanism for X509 certificates. Related issues: none Proposed Resolution: Clarify behaviour of the "token inclusion" and "token reference" interworking to avoid misinterpretations and probable interop problems. Werner Dittmann Siemens COM MN CC BD TO mailto:Werner.Dittmann@siemens.com Tel: +49(0)89 636 50265 Mobil: +49(0)172 85 85 245