OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [wss] ISSUE: What is a "Security Token"

This is a resend of my previous note with a changed subject to reflect the new protocol for raising issues. The content is unchanged.

This note discusses the use of the phrase "Security Token" within the core document. I have found it confusing and propose eliminating it.

The current draft (and I believe all earlier ones) defines "Security Token" as[209]

   "A security token represents a collection of one or more claims".

And defines a claim as [188]

   "A claim is a declaration made by an entity"

This language is confusing within the context of signatures.  Section 8 [741] says "An XML Digital Signature can be used to bind a claim ...." which suggests, although it doesn't come out and say it, that the signature is not itself a claim

Consider this in the context of example 2.4 [274] which contains a <wsse:UserName> element and a signature.  The <UserName> element does not contain a digest.  The commentary says [274] "the username token containing a claimed security identity".  But an identity is not a declaration.  The claim in the example is carried by the signature.  It is something like
The entity identified in the <UserName> element has made a request for the stock information contained in the SOAP body.
I believe that the important concept is direct subelement of a <Security> element and that the semantics of that element should not be assumed to be a security token.  I propose to call this a "security information element", or S-element for short and to replace "security token" with the phrase throughout the document.

If this is agreed to I'll propose detailed edits.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC