OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [wss] SAML Token Profile comments

I have some comments on the Web Services Security: SAML Token Profile draft 6, 21 Feb 03
(1) Section 2.3, [97]-[98]

Perhaps this section can be populated as follows (including using W3C terminology 
( http://www.w3.org/TR/2002/WD-ws-gloss-20021114/ ):

* Invocation identity - subject of SAML assertion, party that requests service when message is processed.

* Sender - SOAP sender, either a SOAP intermediary or an initial soap sender. A sender is a proxy when its identity differs from the invocation identity.

* Relying Party - recipient of message that relies on message and message assertions to provide invoked service

* Service - invocation responder, providing service - (relying party acting as service provider)

* SAML Authority - Party that has signed SAML assertion, usually a trusted third party.

I propose that Author is confusing and "initial SOAP sender" should be used instead.

(2) clarify Security Token section 3.3

Some minor changes suggested to make this section clearer:

Replace "The three forms of token references..." with

"Only the Key Identifier token reference may be used with the SAML Token Profile:"

[170] Move Binding description before Location description [164]

[175] Add the following line after [175], before [176}
"The following token references defined in the WSS: SOAP Message Security specification cannot be used with SAML tokens:"

[208] replace "preferred" with "only"

[213]-[214] replace "Methods to reference..." 
"The STR-Transform may be used to reference a SAML token from a ds:Reference, as defined in the WSS: SOAP Message Security specification."

(3) Example bug fix
A > is needed for the wsse:KeyIdentifier element at [266], [279]

(4) Delegated invocation

[303] remove the sentence:
"Note that the high-level...between message author and message sender..attacks"
The discussion does distinguish between sender and invoker and isn't that all that matters here?

[311] Add the following: (intent is to explain model in 3.4.1)
The Holder-Of-Key method assumes the invoker of a service to be the initial SOAP sender or a SOAP intermediary, 
and requires the sender to prove knowledge of a key.

"element in the same <wsse:Security> element as contains the token."

[332] where are the canonicalization and "token inclusion rules" defined in WSS:SOAP Message Security?

[421] replace joe@yahoo.com with joe@an.example.com

[462] Add
The sender-vouches confirmation method allows an invoker to delegate to a sender the ability to vouch for their

[579] replace portal@yahoo.com with portal@place.example.com

[18], [57], [60], [292], [462] [595], [596], [602], [604], [612], [614], [618], [645], [648], [651]
replace WS-Security with WSS: SOAP Message Security

[613] Does inappropriate delegation open a new threat? Presumably addressed by SAML authority signing assertions
as noted later in 3.6.2

regards, Frederick
Frederick Hirsch
Nokia Mobile Phones

To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]