RE: [ws-sx] Issue 27: When to include a token?

["Martin Gudgin" <mgudgin@microsoft.com>]

I've not seen any further discussion on this, so I'll just state that it's my understanding that the WSS 1.0 and 1.1 Core specs define a mechanism for embedding any type of token inside a Security Token Reference. There is no need for a token profile to explicitly call out the embedded reference form.

Gudge

> -----Original Message-----
> From: Martin Gudgin [mailto:mgudgin@microsoft.com] 
> Sent: 20 February 2006 15:34
> To: Dittmann, Werner; Marc Goodner; ws-sx@lists.oasis-open.org
> Subject: RE: [ws-sx] Issue 27: When to include a token?
> 
> Hmm, by that token[sic] only SAML tokens can appear in 
> wsse:Embedded as none of the other token profiles make 
> explicit mention of embedded. 
> 
> Was this really the intention of the WSS TC?
> 
> Gudge
> 
> > -----Original Message-----
> > From: Dittmann, Werner [mailto:werner.dittmann@siemens.com] 
> > Sent: 19 February 2006 23:36
> > To: Martin Gudgin; Marc Goodner; ws-sx@lists.oasis-open.org
> > Subject: AW: [ws-sx] Issue 27: When to include a token?
> > 
> > Regarding the WSS 1.0 section 7.4 you are right. 
> > 
> > The WSS 1.0 X.509 token profile restricts token references
> > to:
> > - Subject Key Identifier
> > - Direct reference using a URI 
> > - Issuer and Serial number 
> > 
> > IMHO the profile description takes precedence.
> > 
> > Regards,
> > Werner
> > 
> > > -----Ursprüngliche Nachricht-----
> > > Von: Martin Gudgin [mailto:mgudgin@microsoft.com] 
> > > Gesendet: Montag, 20. Februar 2006 02:39
> > > An: Dittmann, Werner; Marc Goodner; ws-sx@lists.oasis-open.org
> > > Betreff: RE: [ws-sx] Issue 27: When to include a token?
> > > 
> > > I looked at WSS 1.0[1] and section 7.4 seems to describe a 
> > > mechanism for embedded *any* token type. By my reading of 
> > > that section, an embedded X509 cert would look something like;
> > > 
> > > <wsse:SecurityTokenReference>
> > >  <wsse:Embedded>
> > >   <wsse:BinarySecurityToken ValueType='wsse:X509v3' 
> > > EncodingType='wsse:Base64Binary' >
> > >   ...
> > >   </wsse:BinarySecuirtyToken>
> > >  </wsse:Embedded>
> > > </wsse:SecurityTokenReference>
> > > 
> > > Gudge
> > > 
> > > [1] 
> > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-m
> > > essage-security-1.0.pdf
> > > 
> > > > -----Original Message-----
> > > > From: Dittmann, Werner [mailto:werner.dittmann@siemens.com] 
> > > > Sent: 16 February 2006 00:15
> > > > To: Martin Gudgin; Marc Goodner; ws-sx@lists.oasis-open.org
> > > > Subject: AW: [ws-sx] Issue 27: When to include a token?
> > > > 
> > > > Some comments inline.
> > > > 
> > > > Regards,
> > > > Werner
> > > > 
> > > > > -----Ursprüngliche Nachricht-----
> > > > > Von: Martin Gudgin [mailto:mgudgin@microsoft.com] 
> > > > > Gesendet: Dienstag, 14. Februar 2006 23:55
> > > > > An: Marc Goodner; Dittmann, Werner; ws-sx@lists.oasis-open.org
> > > > > Betreff: RE: [ws-sx] Issue 27: When to include a token?
> > > > > 
> > > > > Comments inline
> > > > > 
> > > > > Cheers
> > > > > 
> > > > > Gudge 
> > > > > 
> > > > > > -----Original Message-----
> > > > > > From: Marc Goodner [mailto:mgoodner@microsoft.com] 
> > > > > > Sent: 09 February 2006 20:43
> > > > > > To: Dittmann, Werner; ws-sx@lists.oasis-open.org
> > > > > > Subject: [ws-sx] Issue 27: When to include a token?
> > > > > > 
> > > > > > This is now logged as issue 27.
> > > > > > 
> > > > > > Marc Goodner
> > > > > > Technical Diplomat
> > > > > > Microsoft Corporation
> > > > > > Tel: (425) 703-1903
> > > > > > Blog: http://spaces.msn.com/mrgoodner/ 
> > > > > > 
> > > > > > 
> > > > > > -----Original Message-----
> > > > > > From: Dittmann, Werner [mailto:werner.dittmann@siemens.com] 
> > > > > > Sent: Thursday, February 09, 2006 12:12 AM
> > > > > > To: ws-sx@lists.oasis-open.org
> > > > > > Cc: Marc Goodner
> > > > > > Subject: NEW Issue: When to include a token?
> > > > > > 
> > > > > > PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON 
> > > > > THREAD UNTIL
> > > > > > THE ISSUE IS ASSIGNED A NUMBER.
> > > > > > 
> > > > > > The issues coordinators will notify the list when that 
> > > > has occurred.
> > > > > > 
> > > > > > Protocol:  ws-sp
> > > > > > ws-securitypolicy-1.2-spec-ed-01-r03-diff.pdf
> > > > > > 
> > > > > > Artifact:  spec
> > > > > > 
> > > > > > Type: design
> > > > > > 
> > > > > > Title: When to include a token?
> > > > > > 
> > > > > > Description:
> > > > > > 
> > > > > > Using token inclusion values (chap 5.1.1) one can 
> > > specify when to
> > > > > > include a token. On the other hand in chap 5.3.3 
> > > > X509Token Assertion
> > > > > > there are ways defined how to reference a X509 token. 
> > > For example
> > > > > > if "RequireIssuerSerialReference" is set and the 
> > > > inclusion value is
> > > > > > "always": shall the token be included in the message? 
> > > Which token
> > > > > > shall the receipient take - the included one or the 
> > referenced?
> > > > > 
> > > > > [MJG]
> > > > > I believe that inclusion requirements and reference 
> > > requirements are
> > > > > orthogonal. In your example above, I would expect the X509 
> > > > cert to be
> > > > > carried in the message and for its IssuerSerial to match 
> > > that in the
> > > > > IssuerSerial in any referencing STR.
> > > > 
> > > > [WD]
> > > > CAn agree. However, we had such a use case during some 
> > > discussions on
> > > > the WS Security list (and we actually had code in place 
> > > that provided
> > > > such a mechanism) but somehow the discussion showed that 
> > this usage
> > > > should be avoided (can't remember the reasons for it, it's 
> > > > about 1 year
> > > > ago). 
> > > > 
> > > > > > 
> > > > > > With respect to the WS Security specification I 
> interpret the
> > > > > > inclusion value "always*" or "once" without any additional 
> > > > > "Require*"
> > > > > > assertion as "include the token as a BinarySecurityToken 
> > > > > and reference
> > > > > > it using a Reference in the SecruityTokenReference". Is 
> > > > > this a correct
> > > > > > interpretation?
> > > > > 
> > > > > [MJG]
> > > > > Include the token in the message and reference it 
> using a Direct
> > > > > Reference from the STR (e.g. reference to a wsu:Id in the 
> > > > case of, for
> > > > > example, a Username token ).
> > > > > 
> > > > > > 
> > > > > > Also, with respect to WSS how to interpret or act on the
> > > > > > RequireEmbeddedRefernce assertion? WSS does not specify an 
> > > > > "embedded"
> > > > > > mechanism for X509 certificates.
> > > > > 
> > > > > [MJG]
> > > > > I thought embedded was defined as the token appearing 
> > > > verbatim inside
> > > > > wsse:Embedded inside wsse:SecurityTokenReference but 
> > > > perhaps my memory
> > > > > is faulty.
> > > > >
> > > > [WD] Yes, some time ago in the first draft specs of WS 
> > > > Security there was
> > > > an identifier for such a behaviour. The current versions 
> > > > don't support that
> > > > any more, AFAIK.
> > > > 
> > > > > > 
> > > > > > Related issues:
> > > > > > none
> > > > > > 
> > > > > > Proposed Resolution:
> > > > > > 
> > > > > > Clarify behaviour of the "token inclusion" and "token 
> > reference"
> > > > > > interworking to avoid misinterpretations and 
> probable interop 
> > > > > > problems.
> > > > > > 
> > > > > > 
> > > > > > Werner Dittmann
> > > > > > Siemens COM MN CC BD TO
> > > > > > mailto:Werner.Dittmann@siemens.com
> > > > > > Tel:   +49(0)89 636 50265
> > > > > > Mobil: +49(0)172 85 85 245
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
>