Re: [wsrp-interfaces] Groups - SecurityQuestions.xls uploaded

[Subbu Allamaraju <subbu@bea.com>]

I have a comment on the suggested statement.

 > As the UserName token, defined by WS-Security, appears to have the
 > broadest implementation support, it is RECOMMENDED that Consumers use
 > the UserName token to transfer the user's identity to the Producer
 > unless either policy prevents the Consumer from making such a transfer
 > or a different means has been mutually configured for transferring the
 > user's identity to the Producer.

It may true today that the UNT is the common denominator, but it may 
change over time. Secondly, what works best between a given producer and 
consumer implementations may have to be determined case by case.

Given this, we should leave the spec as it is, and make such 
recommendations in the planned tech note.

Subbu

Rich Thompson wrote:
> 
> I agreed to provide a summarizing email proposing how we move forward 
> after the initial discussion on this issue on the Interfaces SC call.
> 
> The base level goal is to define an interoperable means for propagating 
> the user's identity to the Producer. Other possible goals (e.g. Consumer 
> identity, metadata about supported/required protocols/tokens/algorithms, 
> etc) haven't achieved either as broad a consensus on their need or 
> feasibility to address on this first pass. I would encourage those with 
> a definitive proposal regarding such goals to start an email thread 
> around their goal and proposal once the discussion around this base one 
> draws toward a conclusion.
> 
> The clear thing from the answers we received is that the UserName token 
> is broadly supported. At the minimum, we can encourage it to be the 
> default means for transferring the user's identity. Therefore, I propose 
> adding the following to the first paragraph of 11.2:
> 
> As the UserName token, defined by WS-Security, appears to have the 
> broadest implementation support, it is RECOMMENDED that Consumers use 
> the UserName token to transfer the user's identity to the Producer 
> unless either policy prevents the Consumer from making such a transfer 
> or a different means has been mutually configured for transferring the 
> user's identity to the Producer.
> 
> Comments?
> 
> Rich
> 
> 
> *Rich Thompson/Watson/IBM@IBMUS*
> 
> 02/22/06 11:54 AM
> 
> 	
> To
> 	wsrp-interfaces@lists.oasis-open.org
> cc
> 	
> Subject
> 	Re: [wsrp-interfaces] Groups - SecurityQuestions.xls uploaded
> 
> 
> 	
> 
> 
> 
> 
> 
> 
> Here is the promised spreadsheet summarizing the answers received. At a 
> high level, there appear to be two ways to transfer multiple IDs which 
> multiple companies support:
> 1. User ID via WSS token; Consumer ID via SSL/TLS
> 2. User ID via WSS token; Consumer ID via digital signature
> 
> Also, # companies supporting a particular WSS token (out of 6 answers 
> received):
> 6 - UserName
> 4 - SAML (did everyone mean the explicit "sendvouches" Mike referred to?)
> 3 - Digital Signature
> 2 - UserName/PW
> 1 - Liberty
> 
> Hopefully this provides a little fodder for thought ahead of the 
> Interfaces SC call to discuss next steps.
> 
> Rich
> 
> *Rich Thompson/Watson/IBM@IBMUS*
> 
> 02/22/06 11:40 AM
> 
> 	
> To
> 	wsrp-interfaces@lists.oasis-open.org
> cc
> 	
> Subject
> 	[wsrp-interfaces] Groups - SecurityQuestions.xls uploaded
> 
> 
> 
> 	
> 
> 
> 
> 
> 
> 
> The document named SecurityQuestions.xls has been submitted by Rich
> Thompson to the WSRP Interfaces SC document repository.
> 
> Document Description:
> Summaries extracted from answers to security questions.
> 
> View Document Details:
> http://www.oasis-open.org/apps/org/workgroup/wsrp-interfaces/document.php?document_id=16838
> 
> Download Document:  
> http://www.oasis-open.org/apps/org/workgroup/wsrp-interfaces/download.php/16838/SecurityQuestions.xls
> 
> 
> PLEASE NOTE:  If the above links do not work for you, your email application
> may be breaking the link into two pieces.  You may be able to copy and paste
> the entire link address into the address field of your web browser.
> 
> -OASIS Open Administration
>