OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [ws-sx] Issue 27: When to include a token?

Comments inline

Cheers

Gudge 

> -----Original Message-----
> From: Marc Goodner [mailto:mgoodner@microsoft.com] 
> Sent: 09 February 2006 20:43
> To: Dittmann, Werner; ws-sx@lists.oasis-open.org
> Subject: [ws-sx] Issue 27: When to include a token?
> 
> This is now logged as issue 27.
> 
> Marc Goodner
> Technical Diplomat
> Microsoft Corporation
> Tel: (425) 703-1903
> Blog: http://spaces.msn.com/mrgoodner/ 
> 
> 
> -----Original Message-----
> From: Dittmann, Werner [mailto:werner.dittmann@siemens.com] 
> Sent: Thursday, February 09, 2006 12:12 AM
> To: ws-sx@lists.oasis-open.org
> Cc: Marc Goodner
> Subject: NEW Issue: When to include a token?
> 
> PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL
> THE ISSUE IS ASSIGNED A NUMBER.
> 
> The issues coordinators will notify the list when that has occurred.
> 
> Protocol:  ws-sp
> ws-securitypolicy-1.2-spec-ed-01-r03-diff.pdf
> 
> Artifact:  spec
> 
> Type: design
> 
> Title: When to include a token?
> 
> Description:
> 
> Using token inclusion values (chap 5.1.1) one can specify when to
> include a token. On the other hand in chap 5.3.3 X509Token Assertion
> there are ways defined how to reference a X509 token. For example
> if "RequireIssuerSerialReference" is set and the inclusion value is
> "always": shall the token be included in the message? Which token
> shall the receipient take - the included one or the referenced?

[MJG]
I believe that inclusion requirements and reference requirements are
orthogonal. In your example above, I would expect the X509 cert to be
carried in the message and for its IssuerSerial to match that in the
IssuerSerial in any referencing STR.

> 
> With respect to the WS Security specification I interpret the
> inclusion value "always*" or "once" without any additional "Require*"
> assertion as "include the token as a BinarySecurityToken and reference
> it using a Reference in the SecruityTokenReference". Is this a correct
> interpretation?

[MJG]
Include the token in the message and reference it using a Direct
Reference from the STR (e.g. reference to a wsu:Id in the case of, for
example, a Username token ).

> 
> Also, with respect to WSS how to interpret or act on the
> RequireEmbeddedRefernce assertion? WSS does not specify an "embedded"
> mechanism for X509 certificates.

[MJG]
I thought embedded was defined as the token appearing verbatim inside
wsse:Embedded inside wsse:SecurityTokenReference but perhaps my memory
is faulty.

> 
> Related issues:
> none
> 
> Proposed Resolution:
> 
> Clarify behaviour of the "token inclusion" and "token reference"
> interworking to avoid misinterpretations and probable interop 
> problems.
> 
> 
> Werner Dittmann
> Siemens COM MN CC BD TO
> mailto:Werner.Dittmann@siemens.com
> Tel:   +49(0)89 636 50265
> Mobil: +49(0)172 85 85 245
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]