[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [wss] SAML Token Profile comments
I have some comments on the Web Services Security: SAML Token Profile draft 6, 21 Feb 03 --- (1) Section 2.3, [97]-[98] Perhaps this section can be populated as follows (including using W3C terminology ( http://www.w3.org/TR/2002/WD-ws-gloss-20021114/ ): * Invocation identity - subject of SAML assertion, party that requests service when message is processed. * Sender - SOAP sender, either a SOAP intermediary or an initial soap sender. A sender is a proxy when its identity differs from the invocation identity. * Relying Party - recipient of message that relies on message and message assertions to provide invoked service * Service - invocation responder, providing service - (relying party acting as service provider) * SAML Authority - Party that has signed SAML assertion, usually a trusted third party. I propose that Author is confusing and "initial SOAP sender" should be used instead. --- (2) clarify Security Token section 3.3 Some minor changes suggested to make this section clearer: [151]-[152] Replace "The three forms of token references..." with "Only the Key Identifier token reference may be used with the SAML Token Profile:" [170] Move Binding description before Location description [164] [175] Add the following line after [175], before [176} "The following token references defined in the WSS: SOAP Message Security specification cannot be used with SAML tokens:" [208] replace "preferred" with "only" [213]-[214] replace "Methods to reference..." with "The STR-Transform may be used to reference a SAML token from a ds:Reference, as defined in the WSS: SOAP Message Security specification." ---- (3) Example bug fix A > is needed for the wsse:KeyIdentifier element at [266], [279] ---- (4) Delegated invocation [303] remove the sentence: "Note that the high-level...between message author and message sender..attacks" The discussion does distinguish between sender and invoker and isn't that all that matters here? [311] Add the following: (intent is to explain model in 3.4.1) The Holder-Of-Key method assumes the invoker of a service to be the initial SOAP sender or a SOAP intermediary, and requires the sender to prove knowledge of a key. [329]editorial: "element in the same <wsse:Security> element as contains the token." [332] where are the canonicalization and "token inclusion rules" defined in WSS:SOAP Message Security? [421] replace joe@yahoo.com with joe@an.example.com [462] Add The sender-vouches confirmation method allows an invoker to delegate to a sender the ability to vouch for their identity. [579] replace portal@yahoo.com with portal@place.example.com ----- (5) [18], [57], [60], [292], [462] [595], [596], [602], [604], [612], [614], [618], [645], [648], [651] replace WS-Security with WSS: SOAP Message Security [613] Does inappropriate delegation open a new threat? Presumably addressed by SAML authority signing assertions as noted later in 3.6.2 regards, Frederick Frederick Hirsch Nokia Mobile Phones ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]