Issue 27: When to include a token?

["Marc Goodner" <mgoodner@microsoft.com>]

This is now logged as issue 27.

Marc Goodner
Technical Diplomat
Microsoft Corporation
Tel: (425) 703-1903
Blog: http://spaces.msn.com/mrgoodner/ 


-----Original Message-----
From: Dittmann, Werner [mailto:werner.dittmann@siemens.com] 
Sent: Thursday, February 09, 2006 12:12 AM
To: ws-sx@lists.oasis-open.org
Cc: Marc Goodner
Subject: NEW Issue: When to include a token?

PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL
THE ISSUE IS ASSIGNED A NUMBER.

The issues coordinators will notify the list when that has occurred.

Protocol:  ws-sp
ws-securitypolicy-1.2-spec-ed-01-r03-diff.pdf

Artifact:  spec

Type: design

Title: When to include a token?

Description:

Using token inclusion values (chap 5.1.1) one can specify when to
include a token. On the other hand in chap 5.3.3 X509Token Assertion
there are ways defined how to reference a X509 token. For example
if "RequireIssuerSerialReference" is set and the inclusion value is
"always": shall the token be included in the message? Which token
shall the receipient take - the included one or the referenced?

With respect to the WS Security specification I interpret the
inclusion value "always*" or "once" without any additional "Require*"
assertion as "include the token as a BinarySecurityToken and reference
it using a Reference in the SecruityTokenReference". Is this a correct
interpretation?

Also, with respect to WSS how to interpret or act on the
RequireEmbeddedRefernce assertion? WSS does not specify an "embedded"
mechanism for X509 certificates.

Related issues:
none

Proposed Resolution:

Clarify behaviour of the "token inclusion" and "token reference"
interworking to avoid misinterpretations and probable interop problems.


Werner Dittmann
Siemens COM MN CC BD TO
mailto:Werner.Dittmann@siemens.com
Tel:   +49(0)89 636 50265
Mobil: +49(0)172 85 85 245