OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Question regarding post-dating of tokens with WS-Trust

I received some additional questions from some RSA colleagues about the
expected way of requesting and issuing post-dated tokens with WS-Trust.

First:
	From section 5 it looks as if the <wst:Renewing> element also
goes in the issue RST to request that the issued token be renewable.
The thing that is not clear is whether the wst:AllowPostdating element
also goes in the issue RST to request that the issued token not only be
renewable but renewable for a time in the future.  If this is the case
then the sequence would probably be something like this:

1.	Client sends an initial RST using the Issuance Binding to the
STS that includes the wst:AllowPostDating and wst:Renewing elements.
The wst:Timestamp in the RST indicates that this initial should
immediately be valid (i.e. not postdated).
2.	The STS returns a currently-valid token with the
wst:AllowPostdating and wst:Renewing elements in the RSTR.
3.	The Client now needs a postdated token, for example, to submit a
batch processing job under its identity.  The batch job will run at some
future time (e.g. overnight).
4.	Client sends its currently valid token to the STS in an RST
using the Renewal Binding. The RST includes the previously issued token
in the wst:RenewTarget element and a wst:Lifetime with a wsu:Created in
the future. 
5.	The STS returns a token in an RSTR that has a wst:Lifetime
element that has a wsu:Created element set to a time in the future.
Is this the correct understanding of how it should work?

Next:
		The other issue, implied by the description of the
wsu:Created element, is that in the initial issue request, the Requester
can request a postdated token simply by setting wst:Lifetime/wsu:Created
to a time in the future and that this is independent of
wst:AllowPostdating.

Can someone clarify how these 2 items relate and should be used?

Thanks!

Rob Philpott 
RSA, the Security Division of EMC
Senior Technologist | e-Mail: robert.philpott@rsa.com
<rphilpott@rsa.com>  | Office: (781) 515-7115 | Mobile: (617) 510-0893

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]