[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx] Issue 27: When to include a token?
Comments inline Cheers Gudge > -----Original Message----- > From: Marc Goodner [mailto:email@example.com] > Sent: 09 February 2006 20:43 > To: Dittmann, Werner; firstname.lastname@example.org > Subject: [ws-sx] Issue 27: When to include a token? > > This is now logged as issue 27. > > Marc Goodner > Technical Diplomat > Microsoft Corporation > Tel: (425) 703-1903 > Blog: http://spaces.msn.com/mrgoodner/ > > > -----Original Message----- > From: Dittmann, Werner [mailto:email@example.com] > Sent: Thursday, February 09, 2006 12:12 AM > To: firstname.lastname@example.org > Cc: Marc Goodner > Subject: NEW Issue: When to include a token? > > PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL > THE ISSUE IS ASSIGNED A NUMBER. > > The issues coordinators will notify the list when that has occurred. > > Protocol: ws-sp > ws-securitypolicy-1.2-spec-ed-01-r03-diff.pdf > > Artifact: spec > > Type: design > > Title: When to include a token? > > Description: > > Using token inclusion values (chap 5.1.1) one can specify when to > include a token. On the other hand in chap 5.3.3 X509Token Assertion > there are ways defined how to reference a X509 token. For example > if "RequireIssuerSerialReference" is set and the inclusion value is > "always": shall the token be included in the message? Which token > shall the receipient take - the included one or the referenced? [MJG] I believe that inclusion requirements and reference requirements are orthogonal. In your example above, I would expect the X509 cert to be carried in the message and for its IssuerSerial to match that in the IssuerSerial in any referencing STR. > > With respect to the WS Security specification I interpret the > inclusion value "always*" or "once" without any additional "Require*" > assertion as "include the token as a BinarySecurityToken and reference > it using a Reference in the SecruityTokenReference". Is this a correct > interpretation? [MJG] Include the token in the message and reference it using a Direct Reference from the STR (e.g. reference to a wsu:Id in the case of, for example, a Username token ). > > Also, with respect to WSS how to interpret or act on the > RequireEmbeddedRefernce assertion? WSS does not specify an "embedded" > mechanism for X509 certificates. [MJG] I thought embedded was defined as the token appearing verbatim inside wsse:Embedded inside wsse:SecurityTokenReference but perhaps my memory is faulty. > > Related issues: > none > > Proposed Resolution: > > Clarify behaviour of the "token inclusion" and "token reference" > interworking to avoid misinterpretations and probable interop > problems. > > > Werner Dittmann > Siemens COM MN CC BD TO > mailto:Werner.Dittmann@siemens.com > Tel: +49(0)89 636 50265 > Mobil: +49(0)172 85 85 245 >