RE: [ws-sx] Issue 27: When to include a token?

["Martin Gudgin" <mgudgin@microsoft.com>]

Werner,

Here is an amended proposal for closing issue 27.

Cheers

Gudge

<Proposal>
Token inclusion and Token references
 
 A token assertion may carry a sp:IncludeToken attribute that requires
 that the token be included in the message. The Web Services Security
 specifications [WSS10, WSS11] define mechanisms for tokens are 
 included in a message.
 
 Several Token assertions (see Section 5.3) support mechanisms
 for referencing tokens in addition to Direct References, for example 
 external URI references or references using a Thumbprint.

 Certain combination of sp:IncludeToken value and token reference 
 assertions can result in a token appearing in a message more than 
 once. For example, if a token assertion carries a sp:IncludeToken 
 attribute with a value of '.../Always' and that token assertion also
 contains a nested sp:RequireEmbeddedTokenReference (see Section 5.3.3)
 assertion, then the token would be included twice in the message.
 While such combinations are not in error, they are probably best
avoided 
 for efficiency reasons.

 If a token assertion contains multiple reference assertions then
references 
 to that token are required to contain all the specified reference
types. 
 For example, if a token assertion contains nested
sp:RequireIssuerSerialReference
 and sp:RequireThumbprintReference assertions then references to that
token
 contain both reference forms. Again, while such combinations are not in
error, they
 are probably best avoided for efficiency reasons.
</Proposal>

> -----Original Message-----
> From: Dittmann, Werner [mailto:werner.dittmann@siemens.com] 
> Sent: 03 March 2006 00:46
> To: ws-sx@lists.oasis-open.org
> Subject: AW: [ws-sx] Issue 27: When to include a token?
> 
> In response to the ACTION 2005-03-01-02 here a proposal to
> include at the end ot chapter 5.1.1 (or as new chapter 5.1.2).
> 
> <proposal>
> 
> Token inclusion and Token references
> 
> A token assertion may carry a sp:IncludeToken attribute that requires
> to include a token in the message. To support this type of token
> inclusion the Web Service Security specifications [WSS10] define the
> wsse:BinarySecurityToken element that holds the included token.
> 
> Several token assertions (refer to chapter 5.3) support addtional ways
> to reference tokens, for example external URI references or references
> using a Thumbprint.
> 
> A policy shall use either token inclusion or token reference. Using
> both ways in the same policy results in several token inclusions
> and/or several token references. For eaxmple if a token assertion
> carries a sp:IncludeToken attribute to include a token and defines
> wsp:RequireEmbeddedTokenReference (refer to chapter 5.3.3) the token
> would be included twice in the message.
> 
> </proposal>
> 
> Additonal remark:
> While looking at that topic I noticed that at least the X509 token
> assertion allows to uses several references to be specified at the
> same time in the assertion:
> 
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securit
> ypolicy/In
> cludeToken/Never">
>   <wsp:Policy>
>     <wsp:ExactlyOne>
>       <wsp:All>
>         <sp:RequireIssuerSerialReference/>
>         <sp:RequireThumbrintReference/>
>       </wsp:All>
>     </wsp:ExactlyOne>
>   </wsp:Policy>
> </sp:X509Token>
> 
> This is a valid (normalized) X509 assertion and would require to 
> include two references to the same token. Is this the intended
> behaviour? 
> Or shall we clarify that as well?
> 
> Regards,
> Werner
>