OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [ws-sx] Issue 66: Security Policy Usecases


I went looking for the current Usecases document today and could not find it in the TC’s document repository.  I did find a version attached to this message from Nov 1.  Is this the latest version?

 

Can we get the latest version loaded into the TC’s document respository?

 

/paulc

 

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (613) 225-5445 Fax: (425) 936-7329
mailto:Paul.Cotton@microsoft.com




From: Rich Levinson [mailto:rich.levinson@oracle.com]
Sent: November 1, 2006 11:50 AM
To: Rich Levinson
Cc: Ashok Malhotra; Tony Gullotta; Anthony Nadalin; ws-sx@lists.oasis-open.org
Subject: Re: [ws-sx] Issue 66: Security Policy Usecases

 

Apologies once more, previous version had a floating
graphic that I thought had been eradicated messing
up the start of section 2. I'm pretty sure that's it,
and I am going to stop looking at it for a while,
so this is the last blast on this version.

  Thanks,
  Rich

Rich Levinson wrote:

Sorry for the extra resend, but based on some sage advice from
Paul Cotton, I was able to recover the changes in this version,
so that if one wants to see the changes from the previous version,
just go to track changes -> highlight -> check the display on screen box.

    Thanks,
    Rich

Rich Levinson wrote:

Resend of previous message with attachment updated with correct formatting.


-------- Original Message --------

Subject:

Re: [ws-sx] Issue 66: Security Policy Usecases

Date:

Wed, 01 Nov 2006 00:13:18 -0500

From:

Rich Levinson <rich.levinson@oracle.com>

To:

Ashok Malhotra <ashok.malhotra@oracle.com>

CC:

Tony Gullotta <tony.gullotta@soa.com>, Anthony Nadalin <drsecure@us.ibm.com>, "ws-sx@lists.oasis-open.org" <ws-sx@lists.oasis-open.org>

References:

<20061018112650358.00000000784@amalhotr-pc>



Attached please find update to the use cases document. Please
consider it an extremely rough draft as I have only had limited
time to get the core concepts in and no time for cleanup.

The main points to focus on are:

    An introductory section which includes a diagram of
    the trust context to which the individual examples can
    be related.

    Section 2.3 has been updated to include the inferred
    model for SAML Assertions.

    In general, the text has been rephrased somewhat to
    try to indicate that it is explanatory, and does not
    require any special processing, however, it is clear
    that the SAML inferences would be useful to
    interop to establish a baseline for implementors.

    A first pass at a list of references identifying specific
    examples with explicit WS-Security and other interop
    documents is included in Section 3 with refs to the
    links included in the appropriate use cases.

    Note: I had some trouble with the Word editor and
    ended up with a 4.5 M doc that I couldn't figure out
    how to shrink back to normal size. As a result, I
    created a new doc and copied and pasted the
    large doc to it, which is what is being distributed.
    It has lost the changes. However, if anyone wants
    the changes, I can send them the 4.5 M doc
    directly, which does have the changes available
    for review.

Bottom line, the general direction has been set, the major
issues that have been raised have been addressed, and the
document should be ready for the TC to determine the
next steps.

    Thanks,
    Rich



Ashok Malhotra wrote:

For what it's worth, my reading of the sentiment in the TC is to include it as a non-normative document.

All the best, Ashok

 

 


From: Rich Levinson [mailto:rich.levinson@oracle.com]
Sent: Wednesday, October 18, 2006 10:33 AM
To: Tony Gullotta
Cc: Anthony Nadalin; ws-sx@lists.oasis-open.org
Subject: Re: [ws-sx] Issue 66: Security Policy Usecases

Hi Tony G.,

I believe the original issue and proposal included both possibilities:

    http://lists.oasis-open.org/archives/ws-sx/200604/msg00034.html

The minutes of the April F2F, item e, new item: had some comments
on the initial activity:

    http://lists.oasis-open.org/archives/ws-sx/200604/msg00035.html

The original doc:

    http://lists.oasis-open.org/archives/ws-sx/200606/msg00025.html

indicated focus on "typical scenarios that would be useful to users",
which I think indicates an intention to make public if there is general
agreement.

The first step was to come up with an agreed-upon set of scenarios.
The current activity, I think, addresses both purposes: 1. to find
issues with the ws-sp spec, of which 101 was an issue that was
identified in the early versions of the doc, which I escalated as 101
when I took on the task of updating the doc. Surprisingly, that
issue seemed to develop a life of its own and uncovered a 3x3
matrix of saml use cases (3 token types, 3 bindings) that appeared
to require some non-trivial analysis to cleanly address. That is
what the current discussion has been around the saml chapter
and text describing the use cases.

Bottom line, I believe, is that if after there is some agreement on
the set of examples (scenarios, or use cases) the TC will decide
what to do re: making the doc generally available.

    Thanks,
    Rich


Tony Gullotta wrote:

Is the use case document going to be an officially published doucment to the user community? I thought it was just going to be an internal document to make sure the ws-sp spec was complete.

 

Tony

 


From: Rich Levinson [mailto:rich.levinson@oracle.com]
Sent: Tue 10/17/2006 5:02 PM
To: Anthony Nadalin
Cc: Ashok Malhotra; Prateek.Mishra@oracle.com; ws-sx@lists.oasis-open.org
Subject: Re: [ws-sx] Issue 66: Security Policy Usecases

Hi Tony,

I apologize for taking so long getting back on this - have been
tending to other business responsibilities.

I think I understand that you are interpreting what I would call
the "explanation" as to what the meaning of the hk assertion is, as
"processing requirements". That is not the intent. The assumption
is that the client knows how to prepare a WS-Security header in
compliance with the WS-Security profiles, and the only objective
here has been to somehow use the ws-sp constructs to indicate
the saml confirmation method (hk, sv, or bearer) so the client
knows which type of profile to use. So, the explanatory text
can be regarded as primarily to explain to the reader what
is going on from a trust perspective.

I think I could do another pass at the text in these to make
that more clear, if that is what the committee chooses.

Also, regarding issue 101, which has driven some of this
analysis, after considering all the feedback, it is seems
possible to me that the ws spec could be left unchanged,
and that the use cases document, by example, could
indicate implicitly which saml confirmation method the
client would be expected to use.

This would be non-normative and the user community
at large could decide if it was sufficient or if another
approach would be preferred.

As it stands now, I think there still exists a gap between
the explicit SamlToken specification in ws-sp and mapping
that to the wss profiles as has been discussed. However, as
a result of the analysis over the last several weeks, at least
one approach has surfaced (generally suggested by Martin
and reflected in the current version of the use cases /
examples doc), which can close this gap
with the spec as it currently exists, although, that
approach does require some explanation, because
it would not obvious to most people who have not
actually been involved. That explanation does not need
to be in the ws-sp spec as issue 101 currently
requests.

I believe the current use cases/examples doc can be
modified so that we can simply assume if the saml
token is in a ws-sp binding element that it should
contain contain key material and therefore be a
Saml hk token, and that at this point we can leave
other saml tokens that are identified outside the
binding element to be any kind of saml token.
Whether to distinguish between sv and bearer
as signed vs unsigned can be left as a TBD.

    Thanks,
    Rich




Anthony Nadalin wrote:

Ashok, thanks for reminding me. So for example take 2.3.1.3, it states "Initiator may be considered to be authorized by the issuer of the hk SAML assertion to bind message content to the Subject of the assertion. If the Client Certificate matches the certificate identified in the hk assertion, the initiator may be regarded as executing SAML hk responsibility of binding the Subject of the hk assertion to the content of the message." this implies processing assumptions that can't be addressed in WS-SecurityPolicy.


Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Inactive hide details for "Ashok Malhotra" <ashok.malhotra@oracle.com>"Ashok Malhotra" <ashok.malhotra@oracle.com>

"Ashok Malhotra" <ashok.malhotra@oracle.com>

10/10/2006 04:52 PM

To


Anthony Nadalin/Austin/IBM@IBMUS

cc


"Prateek.Mishra@oracle.com" <Prateek.Mishra@oracle.com>, "Rich Levinson" <rich.levinson@oracle.com>, "ws-sx@lists.oasis-open.org" <ws-sx@lists.oasis-open.org>

Subject


RE: [ws-sx] Issue 66: Security Policy Usecases

 


Hi Tony:
On last week's WS-SX call we said that we did not understand what you meant by
"processing assumptions" on some of the usecases. See your note below.
You offered to clarify. Could you please send the clarifications. We are anxious to
make progress on the usecase document.

All the best, Ashok

 


From: Anthony Nadalin [mailto:drsecure@us.ibm.com]
Sent:
Wednesday, September 27, 2006 6:53 AM
To:
ws-sx@lists.oasis-open.org
Subject:
[ws-sx] Issue 66: Security Policy Usecases

While reading the document quite a few of these use cases were confusing as they had to deal with processing assumptions rather than wire format assumptions. So while we can think up many usecases, I'm not sure the purpose of several of the scenarios in section 2.3 (like 2.3.1.3)

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]