After talkign with my security guys some more we may need to dig deeper
to see if we really have interoperability at this level. Can folks
investigate/answer:
a) does the producer require/expect establishing consumer trust via
WS-Security techniques as a prerequisite for using the UserName without
password identity? If
so what techniques does it support [signing the username token and
using the signature as the trust model]? Please expand on the details
-- for example which digital signature technologies does it support?
b) How does the receiver implement Username without password? I.e.
is it merely the absence of the password field that indicates no
password or is the password field sent with a value that signifies its
empty [if so what is the value]?
Something else?
-Mike-
Rich Thompson wrote:
I agreed to provide a summarizing
email
proposing how we move forward after the initial discussion on this
issue
on the Interfaces SC call.
The base level goal is to define an
interoperable means for propagating the user's identity to the
Producer.
Other possible goals (e.g. Consumer identity, metadata about
supported/required
protocols/tokens/algorithms, etc) haven't achieved either as broad a
consensus
on their need or feasibility to address on this first pass. I would
encourage
those with a definitive proposal regarding such goals to start an email
thread around their goal and proposal once the discussion around this
base
one draws toward a conclusion.
The clear thing from the answers we
received is that the UserName token is broadly supported. At the
minimum,
we can encourage it to be the default means for transferring the user's
identity. Therefore, I propose adding the following to the first
paragraph
of 11.2:
As the UserName token, defined by
WS-Security,
appears to have the broadest implementation support, it is RECOMMENDED
that Consumers use the UserName token to transfer the user's identity
to
the Producer unless either policy prevents the Consumer from making
such
a transfer or a different means has been mutually configured for
transferring
the user's identity to the Producer.
Comments?
Rich
Rich
Thompson/Watson/IBM@IBMUS
02/22/06 11:54 AM
|
|
Here is the promised spreadsheet summarizing the answers received. At a
high level, there appear to be two ways to transfer multiple IDs which
multiple companies support:
1. User ID via WSS token; Consumer ID via SSL/TLS
2. User ID via WSS token; Consumer ID via digital signature
Also, # companies supporting a particular WSS token (out of 6 answers
received):
6 - UserName
4 - SAML (did everyone mean the explicit "sendvouches" Mike referred
to?)
3 - Digital Signature
2 - UserName/PW
1 - Liberty
Hopefully this provides a little fodder for thought ahead of the
Interfaces
SC call to discuss next steps.
Rich
Rich
Thompson/Watson/IBM@IBMUS
02/22/06 11:40 AM
|
|
The document named SecurityQuestions.xls has been submitted by Rich
Thompson to the WSRP Interfaces SC document repository.
Document Description:
Summaries extracted from answers to security questions.
View Document Details:
http://www.oasis-open.org/apps/org/workgroup/wsrp-interfaces/document.php?document_id=16838
Download Document:
http://www.oasis-open.org/apps/org/workgroup/wsrp-interfaces/download.php/16838/SecurityQuestions.xls
PLEASE NOTE: If the above links do not work for you, your email
application
may be breaking the link into two pieces. You may be able to copy
and paste
the entire link address into the address field of your web browser.
-OASIS Open Administration
|