ws-sx message

Subject: RE: [ws-sx] Issue i134: InlcudeToken Policy Assertion Parametersand alternatives

From: Greg Carpenter <gregcarp@microsoft.com>
To: "K.Venugopal@Sun.COM" <K.Venugopal@Sun.COM>, "ws-sx@lists.oasis-open.org"<ws-sx@lists.oasis-open.org>
Date: Wed, 30 May 2007 05:57:26 -0700

Issue i134

> -----Original Message-----
> From: K.Venugopal@Sun.COM [mailto:K.Venugopal@Sun.COM]
> Sent: Tuesday, May 29, 2007 7:13 AM
> To: ws-sx@lists.oasis-open.org
> Subject: [ws-sx] New Issue: InlcudeToken Policy Assertion Parameters and
> alternatives
>
> PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL
> THE ISSUE IS ASSIGNED A NUMBER.
> The issues coordinators will notify the list when that has occurred.
> *Protocol:* ws-securitypolicy
> _http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/21362/ws-
> secureconversation-1.3-spec-cs-01.pdf_
>
> _http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/23821/ws-
> securitypolicy-1.2-spec-cs.pdf_
>
> *Artifact:* spec
> *Type:* spec
> *Title:*  Policy Assertion Parameters and alternatives
> *Description:*
>
> As we know WS Policy does not use Policy Assertion parameters when
> intersecting Policy Assertions. IMO this would impact WS Security Policy
> to certain extent.
> eg:
>
> Alternative A
> -------------------------------
> <sp:AsymmetricBinding >
> <wsp:Policy>
>    <sp:InitiatorToken >
>        <sp:X509Token sp:IncludeToken = ".....Never">
>              <wsp:Policy>
>                     <sp:RequireDerivedKeys ... />
>                               <sp:RequireKeyIdentifierReference ... />
>             </wsp:Policy>
>      </sp:X509Token>
>    </sp:InitiatorToken >
>
>    <sp:RecipientToken >
>        <sp:X509Token sp:IncludeToken = ".......Never">
>              <wsp:Policy>
>                     <sp:RequireDerivedKeys ... />
>                    <sp:RequireKeyIdentifierReference ... />
>             </wsp:Policy>
>      </sp:X509Token>
>    </sp:RecipientToken >
>
> </wsp:Policy>
> </sp:AsymmetricBinding >
>
>
> Alternative B
> -------------------------------
> <sp:AsymmetricBinding >
> <wsp:Policy>
>    <sp:InitiatorToken >
>        <sp:X509Token sp:IncludeToken = "......Always">
>              <wsp:Policy>
>                     <sp:RequireDerivedKeys ... />
>                               <sp:RequireKeyIdentifierReference ... />
>             </wsp:Policy>
>      </sp:X509Token>
>    </sp:InitiatorToken >
>
>    <sp:RecipientToken >
>        <sp:X509Token sp:IncludeToken = "......Always">
>              <wsp:Policy>
>                     <sp:RequireDerivedKeys ... />
>                    <sp:RequireKeyIdentifierReference ... />
>             </wsp:Policy>
>      </sp:X509Token>
>    </sp:RecipientToken >
>
> </wsp:Policy>
> </sp:AsymmetricBinding >
>
>
>
> When intersected with the default algorithm of the policy framework the
> resulting policy would contain mutually contradictory X509Token
> parameters. On one hand, the resulting policy would require never to
> include X509Tokens while at the same time always requiring to include
> X509Tokens. The intersection result would effectively yield an invalid
> policy.
>
>
> Regards,
> Venu

Follow-Ups:
- Re: [ws-sx] Issue i134: InlcudeToken Policy Assertion Parametersand alternatives
  - From: Aditya Athalye <aditya.athalye@oracle.com>

References:
- [ws-sx] New Issue: InlcudeToken Policy Assertion Parameters andalternatives
  - From: Venu <K.Venugopal@Sun.COM>