OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: NEW Issue: Assertion to allow STS to require requestor to specifyscope of issued token

PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER. 

The issues coordinators will notify the list when that has occurred.

Protocol:  ws-securitypolicy

http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/21401/ws-securitypolicy-1.2-spec-cd-01.pdf

Artifact:  spec / schema

Type: design

Title: Assertion to allow STS to require requestor to specify scope of issued token

Description:

WS-Trust defines the rules for interpreting the combinations of when a requestor specifies token scope and/or when the issuer returns token scope using the AppliesTo element. However, there is no way to give an STS control over when a requestor may/should specify the AppliesTo element in the RST request, and there are scenarios when such control would be useful. Of course, the STS always has the final say and can refuse a request lacking suitable AppliesTo, but without any a priori indication to a requestor that did not normally include AppliesTo info, the only option would be to fault and then retry.

It would be useful to introduce a policy assertion that allows an STS to specify the requirement for scope information to be included in the form of AppliesTo in the RST. It would represent an intersectable behavior, and can very naturally fit under the top-level Trust assertion already defined in WS-SecurityPolicy that pertains to WS-Trust exchanges.

Related issues:

None.

Proposed Resolution:

Modify as follows.

 

Add <sp:RequiresAppliesTo/>? to the exemplar of Section 10.1 Trust13 Assertion (shown below in bold) with the following definition.

<sp:Trust13 xmlns:sp="..." ... >
  <wsp:Policy xmlns:wsp="...">
    <sp:MustSupportClientChallenge  ... />?
    <sp:MustSupportServerChallenge  ... />?
    <sp:RequireClientEntropy  ... />?
    <sp:RequireServerEntropy  ... />?
    <sp:MustSupportIssuedTokens  ... />?

    <sp:RequireRequestSecurityTokenCollection />?

    <sp:RequireAppliesTo />?
    ...
  </wsp:Policy>
  ...
</sp:Trust13 ... >

 

/sp:Trust10/wsp:Policy/sp:RequireAppliesTo

This optional element is a policy assertion indicates that the STS requires the requestor to specify the scope for the issued token using wsp:AppliesTo in the RST.

 

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]