OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [ws-sx] Issue 31: Token properties

The following is from the charter for our WS-SX TC: 

"WS-SecurityPolicy [4] uses the facilities of WS-Policy [5] to express
the conditions and restrictions on the wire formats defined by OASIS Web
Services Security [1], WS-SecureConversation [2] and WS-Trust [3] to a
specific set of typed message interchanges."

From this statement, there is no reason to define the WSS token
properties somewhere else. WS-SecurityPolicy has to define properties of
token in the WS-Security spec. 

For example, Username Token with/without nonce or created tags should be
definable in the security policy, so that the Policy Enforcement Point
can enforce the policy accordingly. 

Symon Chang, CISSP 
Sr. Security Architect
Blue Titan Software 

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Thursday, April 06, 2006 9:53 AM
To: 'Tony Gullotta'; 'Anthony Nadalin'
Cc: ws-sx@lists.oasis-open.org
Subject: RE: [ws-sx] Issue 31: Token properties

> I would think that at a minimum we should look at properties 
> required to ensure the tokens can be authenticated properly 
> like in my first example.

That applies to SAML as well, i.e. SubjectConfirmation. It's meaningless
just say "SAML token".

I would say there should be token profiles of many of these specs, if
here, fine, but somewhere.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]