OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [ws-sx] Issue ER008: Applicability of TokenInclusion Valuesfor various security tokens


I disagree with the proposal because I don’t believe we should be profiling the use of WS-SecurityPolicy assertions for specific scenarios. I believe that this work belongs to a group that is specifically chartered to do such work for a specific usage domain of WS-SecurityPolicy. Since we are providing a generic framework for specifying the security requirements for SOAP message exchanges and we haven’t done any formal work in collecting all the possible scenarios where this framework can be used (I actually don’t think it is feasible to collect all such scenarios across all the domains), I don’t believe we should be recommending or constraining the inclusion mode values in a way that is proposed below.

 

On a technical level, I don’t agree with the use cases below because in some scenarios the SAML token is actually used to authenticate a recipient to an initiator in which case setting inclusion mode on the SamlToken assertion to AlwaysToInitiator is needed. In some scenario you might want to use username token to authenticate recipient to the initiator so again setting the inclusion mode to AlwaysToInitiator makes sense.

 

Regards,

--Jan

 

From: Greg Carpenter [mailto:gregcarp@microsoft.com]
Sent: Tuesday, June 19, 2007 10:40 AM
To: Aditya Athalye; ws-sx@lists.oasis-open.org
Cc: Marc Goodner
Subject: [ws-sx] Issue ER008: Applicability of TokenInclusion Values for various security tokens

 

Issue ER008.

 

From: Aditya Athalye [mailto:aditya.athalye@oracle.com]
Sent: Tuesday, June 19, 2007 4:32 AM
To: ws-sx@lists.oasis-open.org
Cc: Marc Goodner
Subject: [ws-sx] New Issue: Applicability of TokenInclusion Values for various security tokens

 

PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER.  
The issues coordinators will notify the list when that has occurred.
Protocol:   ws-sp 
 
http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/23821/ws-securitypolicy-1.2-spec-cs.pdf 
 
 
Artifact:  
 
spec
 
Type:
 
editorial
 
Title:
Applicability of TokenInclusion Values for various security tokens
 
Description:
 
 
The WS-SP spec attaches a @IncludeToken for the various security tokens that are defined. The Token Inclusion values are also 
enumerated in Section 5.1.1.
However, the spec does not clearly indicate the applicability of various Inclusion Values for each token.
What I mean is: Not all TokenInclusion Values defined will be applicable/pertinent to each security token.
 

UseCase:

1.) For a UsernameToken, using TokenInclusion values of "Never", or "AlwaysToInitiator" may not be relevant. A policy cannot use  something like  "RequireKeyIdentifierReference"  for referencing  UsernameTokens, so probably a UsernameToken
will always be included, and probably always sent from Initiator to Recipient.

2.) A SAMLToken may never need to use an Inclusion value of "AlwaysToInitiator".

3.) An X509Token can use any of these values depending on the scenario.

 

Related Issues:
 
None.
 
Proposed Resolution:
 
 
I propose that the spec also throw some light on this aspect in the description for @IncludeToken for each such token, so that
implementors/users get a clear idea of this.
Following quoted text could be added to the UNToken:
 
This optional attribute identifies the token inclusion value for this token assertion. "It is RECOMMENDED however that this 
security token uses the "Always", "AlwaysToRecipient", "Once" inclusion values".
 
Similar text can be added for the remaining tokens wherever applicable.
The schema can still use the "IncludeTokenType", but the documentation IMO could be a little clearer.
 
Thanks
Aditya


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]