[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ws-sx] Issue ER008: Applicability of TokenInclusion Valuesfor various security tokens
Agreed on the point, that WS-SecurityPolicy should be generic, and
should not profile specific scenarios. |
However, WS-SP does use a specific transport protocol (HTTP over SSL) for almost all the cases/examples where Transport Binding is used. It defines a specific protocol based token for this as well (HTTPSToken). Though we all know SOAP is a transport-independent mechanism for message exchange, the simple reason that WS-SP needed to have a specific transport protocol assertion, illustrates a propensity for commonly used scenarios (In this case HTTP over SSL which is a very widely used transport protocol whereas it could have kept just an SSLToken or a TLSToken).
If dug deeper, we might find more instances, where WS-SP has indirectly made some scenario specific recommendations.
I also agree to the fact, that theoretically, every token can use any of the Inclusion Values. But the point to consider here for the examples stated below, is:
Will, under the most commonly used scenarios, a recipient(lets say a service provider) send Username/passwords to a requestor(some client)? Will it not be a preferable idea for service providers to authenticate themselves using X509 certificates instead?
For this reason, I had proposed that it would be helpful to include this as a RECOMMENDATION from the WS-SP, and definitely not as a constraint. :-)
Jan Alexander wrote: