RE: [wss] Comments on WSS-Core-01

["Mishra, Prateek" <pmishra@netegrity.com>]

Title: RE: [wss] Comments on WSS-Core-01

[Prateek Mishra] 

 

Hal,

 

thanks for your clarification which appear quite reasonable to me. However, notice that the

original text refers only to <wsse:SecurityTokenReference> elements combined with signatures.

Your clarification explains the more general case of combining tokens of one sort or the other with

signatures in the <wss:Security> header. We should either generalize lines 733-735 or explain why combining <wsse:SecurityTokenReference>

with signatures has some additional special meaning.

 

 

 > (4) lines 733 - 735: I could not follow the point made here at all.

To make this easier to follow, the lines in question are:

----
733 When an XML Signature is used in conjunction with the <wsse:SecurityTokenReference>
734 element, the security token of a message signer may be correlated and a mapping made
735 between the claims of the security token and the message as evaluated by the application.
----

I believe the intention is that if the application receiving the message trusts the the token, it is allowed to associate the claims in the token with the party that originated the signed message. However, the specific semantics applied depend implicitly on both the nature of the claims and the specific application (and hence the contents of the message). They are not explicitly indicated by the contents of the security header.

Common cases would be:

1. The message is some type of request and the claims describe the party making the request.

2. The information in the message is asserted to be correct by the party described by the claims.

3. The party described by the claims agrees to the contractual terms represented in the message.

4. The claims describe the policy for any use or distribution of the information in the message.

However, these are surely not exhaustive.

Hal