OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: AW: [ws-sx] Issue 30: Need a mechanism to identify token assertions

Thanks for the better wording to make it more clear.

Yes, somthing like that. Another example would be
that a purchase order needs to be signed by two different
entities (users). In the sense of
"two different entities endorse this message".

Regards,
Werner


> -----Ursprüngliche Nachricht-----
> Von: Tony Gullotta [mailto:tony.gullotta@soa.com] 
> Gesendet: Donnerstag, 23. Februar 2006 18:55
> An: Dittmann, Werner; ws-sx@lists.oasis-open.org
> Betreff: RE: [ws-sx] Issue 30: Need a mechanism to identify 
> token assertions
> 
> Are you trying to indicate that these two tokens represent 
> different identities (users)? So you are trying to give 
> consumers an idea of which identity must sign? Maybe 
> something like an end-user vs a sponsor or application entity?
> 
> Tony
> 
> -----Original Message-----
> From: Dittmann, Werner [mailto:werner.dittmann@siemens.com] 
> Sent: Monday, February 20, 2006 4:22 AM
> To: ws-sx@lists.oasis-open.org
> Subject: AW: [ws-sx] Issue 30: Need a mechanism to identify 
> token assertions
> 
> To put an example on this issue pls have a look to the 
> attached file. It contains a WSP with several tokens at 
> different levels.
> 
> The policy defines two SignedEndorsingSupportTokens (SEST). 
> Each SEST signs a different part of the message. Because two 
> SEST are defined it is save to assume that different tokens 
> are required to sign the required parts (otherwise one SEST 
> token with two Header assertions in SignedParts would be 
> used). An implementation that creates the message according 
> to the policy needs to associate the different tokens to the 
> correct SEST. As it stands now this is not possible - the 
> implementation has no "anchor" into the policy to populate 
> the tokens. IMHO we need to have a way to identify the tokens 
> (the X.509, Username etc.).
> 
> Regards,
> Werner
> 
> > -----Ursprüngliche Nachricht-----
> > Von: Dittmann, Werner
> > Gesendet: Donnerstag, 16. Februar 2006 09:30
> > An: Martin Gudgin; Marc Goodner; ws-sx@lists.oasis-open.org
> > Betreff: AW: [ws-sx] Issue 30: Need a mechanism to identify token 
> > assertions
> > 
> > Hmm, I cannot fully agree to that. In particular  at the 
> client side 
> > we need to know which specific token to use to populate a token 
> > required by WSP.
> > 
> > For example, if there are several supporting tokens that 
> each require 
> > a different X.509 certificate then the implementation must 
> somehow be 
> > able to identify the token to associate the correct 
> certificate to the 
> > token.
> > 
> > As concrete example: a policy requires two endorsing tokens, each 
> > endorses different parts of a message. To do so the WSP 
> implementation 
> > shall be able to identify the tokens and use some method to get the 
> > correct certificates to sign the message parts. The WSP 
> method would 
> > get the token identifier, hands it to the "get certificate" 
> method to 
> > get the certificate. Agreed, how to link the token 
> identifer with the 
> > certficates is internal to the implementation (this could 
> be even some 
> > GUI that interactcts with a person to)
> > 
> > Or am I somehow off track here?
> > 
> > Regards,
> > Werner
> > 
> > > -----Ursprüngliche Nachricht-----
> > > Von: Martin Gudgin [mailto:mgudgin@microsoft.com]
> > > Gesendet: Mittwoch, 15. Februar 2006 00:25
> > > An: Marc Goodner; Dittmann, Werner; ws-sx@lists.oasis-open.org
> > > Betreff: RE: [ws-sx] Issue 30: Need a mechanism to identify token 
> > > assertions
> > > 
> > > Comments inline
> > > 
> > > Cheers
> > > 
> > > Gudge
> > > 
> > > > -----Original Message-----
> > > > From: Marc Goodner [mailto:mgoodner@microsoft.com]
> > > > Sent: 09 February 2006 20:49
> > > > To: Dittmann, Werner; ws-sx@lists.oasis-open.org
> > > > Subject: [ws-sx] Issue 30: Need a mechanism to identify token 
> > > > assertions
> > > > 
> > > > This is now logged as issue 30.
> > > > 
> > > > Marc Goodner
> > > > Technical Diplomat
> > > > Microsoft Corporation
> > > > Tel: (425) 703-1903
> > > > Blog: http://spaces.msn.com/mrgoodner/
> > > > 
> > > > 
> > > > -----Original Message-----
> > > > From: Dittmann, Werner [mailto:werner.dittmann@siemens.com]
> > > > Sent: Thursday, February 09, 2006 12:17 AM
> > > > To: ws-sx@lists.oasis-open.org
> > > > Cc: Marc Goodner
> > > > Subject: NEW Issue: Need a mechanism to identify token 
> assertions
> > > > 
> > > > PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON
> > > THREAD UNTIL
> > > > THE ISSUE IS ASSIGNED A NUMBER.
> > > > 
> > > > The issues coordinators will notify the list when that
> > has occurred.
> > > > 
> > > > Protocol:  ws-sp
> > > > ws-securitypolicy-1.2-spec-ed-01-r03-diff.pdf
> > > > 
> > > > Artifact:  spec
> > > > 
> > > > Type: design
> > > > 
> > > > Title: Need a mechanism to identify token assertions
> > > > 
> > > > Description: 
> > > > 
> > > > An implementation that uses Security Policy Language has
> > to know how
> > > > to populate the required tokens, e.g. UsernameToken or X509 
> > > > tokens. Because a policy file usually contains several token 
> > > > assertions there should be a mechanism avaliable to
> > identify a token
> > > > assertion.
> > > > 
> > > > For example if a policy requires two UsernameToken in a 
> supporting 
> > > > token the application that creates the message needs a way
> > > to link the
> > > > different UsernameToken assertions to the user data 
> records that 
> > > > contains username, password, etc. To do so the 
> application shall 
> > > > be able to identify the UsernameToken and use this 
> identifier as a
> > link to the
> > > > user data record. 
> > > > 
> > > > Simliar mechanisms are required to locate the correct X509
> > > certificate
> > > > in a keystore, for example. 
> > > 
> > > [MJG]
> > > While I agree that a service needs to be able to 
> distinguish between 
> > > such tokens and potentially locate such tokens on it's 
> side, I don't 
> > > believe WS-SecurityPolicy should specify such things. They are 
> > > internal implementation details that the client need not be aware 
> > > of.
> > > 
> > > > 
> > > > Related issues:
> > > > none
> > > > 
> > > > Proposed Resolution:
> > > > 
> > > > Add an Id or name attribute or to token assertions.  Any
> > other ideas
> > > > how to identify token in a Poliy file and associated them
> > with real
> > > > user/alias data?
> > > > 
> > > > Werner Dittmann
> > > > Siemens COM MN CC BD TO
> > > > mailto:Werner.Dittmann@siemens.com
> > > > Tel:   +49(0)89 636 50265
> > > > Mobil: +49(0)172 85 85 245
> > > > 
> > > 
> > 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]