OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [ws-sx] Issue 101: Need additional SamlToken Assertion Elements forHolder-of-Key and Sender-Vouches (and Bearer)


The issue here is that this proposal now adds implied processing semantics.

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Inactive hide details for Rich Levinson <rich.levinson@oracle.com>Rich Levinson <rich.levinson@oracle.com>


          Rich Levinson <rich.levinson@oracle.com>

          09/12/2006 03:59 PM


To

Marc Goodner <mgoodner@microsoft.com>

cc

"ws-sx@lists.oasis-open.org" <ws-sx@lists.oasis-open.org>, Frederick Hirsch <frederick.hirsch@nokia.com>, Martin Gudgin <mgudgin@microsoft.com>, Greg Whitehead <greg.whitehead@hp.com>

Subject

Re: [ws-sx] Issue 101: Need additional SamlToken Assertion Elements for Holder-of-Key and Sender-Vouches (and Bearer)

To address issue 101:

 
http://docs.oasis-open.org/ws-sx/issues/Issues.xml#i101

plus the recommendations that have been put forth since the
issue was first raised, in particular, the recommendation that
the SAML ConfirmationMethod be inferrable from the
ws-sp context, and that the bearer confirmation method
also be included, I am proposing the text below to
follow line 1417 of the version 9 ws-sp spec:

 
http://www.oasis-open.org/committees/download.php/20152/ws-securitypolicy-1.2-spec-ed-01-r09-diff.pdf 


Proposed text follows between indicators:

<start of proposed text>

Note: WSS:SAMLTokenProfile1.0 and WSS:SAMLTokenProfile1.1
describe 3 types of SAML Assertion ConfirmationMethods: holder-of-key,
sender-vouches, and bearer. The following guidelines may be used to
determine which kind of SAML ConfirmationMethod will meet the policy
requirements:

    If the SamlToken Assertion appears within a Security Binding
assertion,
    then it should, in general, be assumed that a SAML holder-of-key
assertion
    is required to satisfy the policy. requirement.

    If the SamlToken Assertion appears within a SignedSupportingTokens
element,
    which is outside of any Security Binding assertion, then it may be
assumed that a
    SAML sender-vouches assertion will satisfy the policy requirement.

    If the SamlToken Assertion appears within a SupportingTokens
element which
    is outside of any Security Binding assertion, then it may be
assumed that a
    SAML bearer assertion will satisfy the policy requirement. "

<end of proposed text>

In addition, a new  revision of the Use Cases document will be issued
later today
containing examples, which incorporate the above usage guidelines.

Comments and suggestions are always welcome.

   Thanks,
   Rich Levinson



GIF image



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]