OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FW: [ws-sx] Issue 66: Security Policy Usecases

Anand:
I'm forwarding your note to the WS-SX TC.
Your questions are good questions and the TC shd discuss them
when we discuss issue 66.

All the best, Ashok
 

> -----Original Message-----
> From: Anand Mani [mailto:AnandMani@crimsonlogic.com] 
> Sent: Thursday, June 15, 2006 6:51 PM
> To: Ashok Malhotra
> Subject: RE: [ws-sx] Issue 66: Security Policy Usecases
> 
> Hi Ashok,
> 
> Went through the use cases which you have provided.
> Is there any specific reason why you have not included 
> username token with plain text password but with nonce and 
> timestamp? Do you think that such cases will be rare(or 
> practically useless) since if anyone is concerned about 
> timestamping and using nonce they will not send the password 
> in clear? Also does the use of password hash automatically 
> mean the nonce and timestamping need to be provided? The 
> policy fragment
> 
> <sp:SupportingToken>
>   <wsp:Policy>
>       <sp:UserNameToken>
>           <wsp:Policy><sp:HashPassword></wsp:Policy>
>   </wsp:Policy>
> <sp:SupportingToken>
> 
> does not make this point very clear.
> 
> In most of the security toolkits for WS the hashing of 
> password and timestamping can be decoupled. So how do we 
> represent a case where in timestamping is required without 
> having to hash the password using wsp:Policy?
> 
> Regards,
> Anand.
> 
> 
> -----Original Message-----
> From: Ashok Malhotra [mailto:ashok.malhotra@oracle.com]
> Sent: Friday, June 16, 2006 2:13 AM
> To: ws-sx@lists.oasis-open.org
> Cc: Prateek Mishra; Mischkinsky,Jeff
> Subject: [ws-sx] Issue 66: Security Policy Usecases
> 
> 
> I'm attaching a document with a number of what we feel are typical
> Security Policy usecases along with sample Policies.
> 
> The first thing to do is to discuss whether we need more or less
> usecases. My guess is we need more but we also don't need a 100 page
> document.
> 
> Then we need to decide where this fits along with the other WS-SX
> deliverables.
> 
> All the best, Ashok
>  
> 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]