Subject: Issue PR013: Need EncryptedSupportingTokens assertion
PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER.
The issues coordinators will notify the list when that has occurred.
Title: Need EncryptedSupportingTokens assertion
Need EncryptedSupportingTokens assertion to encrypt plain text password in Username Token for authentication.
The current WS-SP spec has SupportingTokens, SignedSupportingTokens, and SignedEncryptedSupportingTokens assertions, but does not have EncryptedSupportingTokens assertion.
Encrypted support token without signature is a common use case, when the plain text password is used on the Username Token for authentication, and the client does not have private key for signature. When the server can only accept plain text password, encrypt the password with server’s X509 certificate is a good security practice, but existing spec does not have a simply assertion in supporting token for this simple requirement.
Need policy example for encrypted username token.
Added new EncryptedSupportingTokens assertion into WS-SP spec, after section 8.5. -- “SignedEncryptedSupportingTokens Assertion”. The text can be similar to the section 8.5.
Notice: This email message, together with any attachments, may contain
information of BEA Systems, Inc., its subsidiaries and affiliated
entities, that may be confidential, proprietary, copyrighted and/or
legally privileged, and is intended solely for the use of the individual
or entity named in this message. If you are not the intended recipient,
and have received this message in error, please immediately return this
by email and then delete it.