OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [ws-sx] Issue 41: Clarification on token propagation of SCT required


Hi Jan,

sounds good to me. So I suggest that I'll draft a proposal for the following changes to the WS-SC spec:
- Sec. 3.3: Add a paragraph that explains how the requester uses wsp:AppliesTo for Token Propagation if the STS has no prior knowledge of which parties the requester needs a token for
- Sec. 3.3: Add an SCT request example that uses wst:AppliesTo for this scenario

In addition, I think it would be helpful for the reader of the WS-Trust spec if we add a more concrete example for what these requirements on the usage of an issued token stated by the <wst:Participants> element could be in order to clarify the difference to the <wsp:AppliesTo> semantics. This may be treated as a separate issue.

What do you think?

Thanks,
Martin

-----Original Message-----
From: Jan Alexander [mailto:janalex@microsoft.com] 
Sent: Donnerstag, 2. März 2006 18:37
To: Marc Goodner; Raepple, Martin; ws-sx@lists.oasis-open.org
Subject: RE: [ws-sx] Issue 41: Clarification on token propagation of SCT required

Hi Martin,

There is a difference between wst:AppliesTo and wst:Participants element
semantics and I don't think they can be listed as alternatives. 

AFAIK wst:AppliesTo is used to determine target service(s) for which the
initiator is planning to use the issued SCT whereas wst:Participants
puts additional requirements on the token in terms of who can use the
issued token. In other words, those two elements are orthogonal.

This being said, I think semantics provided by wst:AppliesTo element is
what you are looking for in the section 3.2.

The current example does not use either wst:AppliesTo nor
wst:Participants elements. This means that the context of the issued
token is implied according the WS-Trust. 

I propose to change this issue from:

<Quote>
From the quotes above, my guess is that WS-SC should refer to the
Authorized Token Participants extension element for the RST and should
give an example or enhance the existing SCT Request Example (section
3.2, lines 323 ff) in section 3.3 of the WS-SC spec.
</Quote>

To:

<Quote>
WS-SC should refer to the wst:AppliesTo element for RST and RSTR and
should give an example or enhance the existing SCT Request Example
(section 3.2, lines 323 ff) and SCT propagation example (section 3.3,
lines 399 ff) to include usage of wst:AppliesTo element.
</Quote>

Does this sound reasonable?

Thanks,
--Jan

-----Original Message-----
From: Marc Goodner [mailto:mgoodner@microsoft.com] 
Sent: Monday, February 27, 2006 10:50 AM
To: martin.raepple@sap.com; ws-sx@lists.oasis-open.org
Subject: [ws-sx] Issue 41: Clarification on token propagation of SCT
required

This is now logged as issue 41.

-----Original Message-----
From: martin.raepple@sap.com [mailto:martin.raepple@sap.com] 
Sent: Monday, February 27, 2006 5:16 AM
To: ws-sx@lists.oasis-open.org
Cc: Marc Goodner
Subject: [ws-sx] NEW Issue: Clarification on token propagation of SCT
required

PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL
THE ISSUE IS ASSIGNED A NUMBER.  
The issues coordinators will notify the list when that has occurred.

Protocol:  ws-trust / ws-sc

ws-secureconversation-1.3-spec-ed-01-r03-diff.doc

Artifact:  spec

Type:

design

Title:

Clarification on token propagation of SCT required when STS has no prior
knowledge of which parties the requester needs a token for.

Description:

WS-SC defines SCT token propagation in order to distribute an SCT and
its POP token to the requester (context initiator) and the other parties
(endpoint for secured requests). Section 3 (lines 255 ff), Establishing
Security Contexts, refers to the mechanisms in WS-Trust for token
propagation. If the STS has no prior knowledge of which parties the
requester needs a token for, WS-Trust provides two alternatives to
define theses parties in the RST:

- wsp:AppliesTo in RST and RSTR, Section 4.2.1 (lines 677 ff):
  <quote>
  Both the requestor and the issuer can specify a scope for the issued
token using the <wsp:AppliesTo> element.
  </quote>
  wsp:AppliesTo can be used to carry wsa:EndpointReference elements
which contain endpoint URLs.

- Authorized Token Participants, Section 9.5 (lines 1969 ff): 
  <quote>
  This parameter is typically used when there are additional parties
using the token or if the requestor needs to clarify the actual parties
involved (for some profile-specific reason).
  </quote>
  wst:ParticipantType can contain an arbitrary structure according to
the ws-trust XSD.

From the quotes above, my guess is that WS-SC should refer to the
Authorized Token Participants extension element for the RST and should
give an example or enhance the existing SCT Request Example (section
3.2, lines 323 ff) in section 3.3 of the WS-SC spec.

Related issues:


Proposed Resolution:


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]