OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: New Issue: Applicability of TokenInclusion Values for various securitytokens


PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER.  
The issues coordinators will notify the list when that has occurred.
Protocol:   ws-sp 
 
http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/23821/ws-securitypolicy-1.2-spec-cs.pdf 
 
 
Artifact:  

spec
 
Type:
 
editorial
 
Title:
Applicability of TokenInclusion Values for various security tokens
 
Description:


The WS-SP spec attaches a @IncludeToken for the various security tokens that are defined. The Token Inclusion values are also 
enumerated in Section 5.1.1.
However, the spec does not clearly indicate the applicability of various Inclusion Values for each token.
What I mean is: Not all TokenInclusion Values defined will be applicable/pertinent to each security token.

UseCase:

1.) For a UsernameToken, using TokenInclusion values of "Never", or "AlwaysToInitiator" may not be relevant. A policy cannot use  something like  "RequireKeyIdentifierReference"  for referencing  UsernameTokens, so probably a UsernameToken
will always be included, and probably always sent from Initiator to Recipient.

2.) A SAMLToken may never need to use an Inclusion value of "AlwaysToInitiator".

3.) An X509Token can use any of these values depending on the scenario.


Related Issues:
 
None.
 
Proposed Resolution:


I propose that the spec also throw some light on this aspect in the description for @IncludeToken for each such token, so that
implementors/users get a clear idea of this.
Following quoted text could be added to the UNToken:

This optional attribute identifies the token inclusion value for this token assertion. "It is RECOMMENDED however that this 
security token uses the "Always", "AlwaysToRecipient", "Once" inclusion values".

Similar text can be added for the remaining tokens wherever applicable.
The schema can still use the "IncludeTokenType", but the documentation IMO could be a little clearer.
Thanks
Aditya


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]