Re: [ws-sx] Issue 31: Token properties

[Anthony Nadalin <drsecure@us.ibm.com>]

Greg,

It's enough for WS-Security, WS-Trust, etc to say I want a SAML token as that is all the is profiled in WSS, there is nothing that the wire format of these specifications depend on in regards to token specifics.

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Greg Whitehead <greg.whitehead@hp.com>

Greg Whitehead <greg.whitehead@hp.com>

04/07/2006 07:15 AM

To	Anthony Nadalin/Austin/IBM@IBMUS
cc	"Symon Chang" <schang@bluetitan.com>, "Scott Cantor" <cantor.2@osu.edu>, "Tony Gullotta" <tony.gullotta@soa.com>, ws-sx@lists.oasis-open.org
Subject	Re: [ws-sx] Issue 31: Token properties

It seems to me that an RST needs to specify the desired properties of the requested token in enough detail that the STS can satisfy the request without relying on out-of-band information.

As has already been pointed out, it's not enough to say that you want a SAML token.

-Greg

On Apr 7, 2006, at 12:34 AM, Anthony Nadalin wrote:

Symon,

The key part of what you quote is "conditions and restrictions on the wire formats defined by OASIS Web
Services Security [1], WS-SecureConversation [2] and WS-Trust [3] to a
specific set of typed message interchanges." well Services Security, WS-SecureConversation and WS-Trust don't depend on any formats of the tokens for wire formats, applications may but these specifications don't.


Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
<graycol.gif>

"Symon Chang" <schang@bluetitan.com>



"Symon Chang" <schang@bluetitan.com>

04/06/2006 12:36 PM

<ecblank.gif> To	<ecblank.gif> "Scott Cantor" <cantor.2@osu.edu>, "Tony Gullotta" <tony.gullotta@soa.com>, Anthony Nadalin/Austin/IBM@IBMUS, <ws-sx@lists.oasis-open.org>
<ecblank.gif> cc	<ecblank.gif>
<ecblank.gif> Subject	<ecblank.gif> RE: [ws-sx] Issue 31: Token properties

<ecblank.gif>

<ecblank.gif>


The following is from the charter for our WS-SX TC:

"WS-SecurityPolicy [4] uses the facilities of WS-Policy [5] to express
the conditions and restrictions on the wire formats defined by OASIS Web
Services Security [1], WS-SecureConversation [2] and WS-Trust [3] to a
specific set of typed message interchanges."

From this statement, there is no reason to define the WSS token
properties somewhere else. WS-SecurityPolicy has to define properties of
token in the WS-Security spec.

For example, Username Token with/without nonce or created tags should be
definable in the security policy, so that the Policy Enforcement Point
can enforce the policy accordingly.


Symon Chang, CISSP
Sr. Security Architect
Blue Titan Software

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: Thursday, April 06, 2006 9:53 AM
To: 'Tony Gullotta'; 'Anthony Nadalin'
Cc: ws-sx@lists.oasis-open.org
Subject: RE: [ws-sx] Issue 31: Token properties

> I would think that at a minimum we should look at properties
> required to ensure the tokens can be authenticated properly
> like in my first example.

That applies to SAML as well, i.e. SubjectConfirmation. It's meaningless
to
just say "SAML token".

I would say there should be token profiles of many of these specs, if
not
here, fine, but somewhere.

-- Scott