wss message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: [wss] ISSUE: What is a "Security Token"
- From: Jerry Schwarz <jerry.schwarz@oracle.com>
- To: wss@lists.oasis-open.org
- Date: Mon, 24 Feb 2003 23:50:58 -0800
This is a resend of my previous note with a changed subject to reflect
the new protocol for raising issues. The content is unchanged.
-------------
This note discusses the use of the phrase "Security Token"
within the core document. I have found it confusing and propose
eliminating it.
The current draft (and I believe all earlier ones) defines "Security
Token" as[209]
"A security token represents a collection of one or
more claims".
And defines a claim as [188]
"A claim is a declaration made by an
entity"
This language is confusing within the context of signatures.
Section 8 [741] says "An XML Digital Signature can be used to bind a
claim ...." which suggests, although it doesn't come out and say it,
that the signature is not itself a claim
Consider this in the context of example 2.4 [274] which contains a
<wsse:UserName> element and a signature. The <UserName>
element does not contain a digest. The commentary says [274]
"the username token containing a claimed security
identity". But an identity is not a declaration. The
claim in the example is carried by the signature. It is something
like
- The entity identified in the <UserName> element has made a
request for the stock information contained in the SOAP body.
I believe that the important concept is direct subelement of a
<Security> element and that the semantics of that element should
not be assumed to be a security token. I propose to call this a
"security information element", or S-element for short and to
replace "security token" with the phrase throughout the
document.
If this is agreed to I'll propose detailed edits.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC