OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: ISSUE 73


Resend of message originally sent on June 17 because I never saw any responses.

---------------------------------
Apologies again for being unable to attend F2F.

From the minutes

>Issue 73 - What tokens are allowed within Token Reference? Add an embedded reference, but this isn't well defined>
>

- Editors were to make proposal - Jerry's issue (not present)
- Either enumerate or define tokens or non-tokens.  Definition of security tokens but extensible nature leaves this in doubt. 
- line 214 defines the definition.
- Is a signature or a security manifest a type of security token? 
- No one present could argue that a signature represents a claim.
- mark it closed.

Can someone who supported this decision address the following questions

A. Consider

    <wsse:UserNameToken> <wsse:UserName>Jerry</wsse:UserName> </wsse:UserNameToken>

I presume that people want to consider that a security "token". Can someone explain to me what the claim is? Note that since a claim is a "declaration made by an entity" you must specify both the declaration and the entity.

B. Consider (where the ... represent some agreed security token)

    <wsse:SecurityTokenReference usage="Sender"> <wsse:Embedded>
        ...
    </wsse:Embedded> </wsse:SecurityTokenReference>

Apparently this makes claims (based both on the presence of the usage attribute and the embedding of whatever makes a claim.  Thus B is a security token and we can recursively embed it. 

    <wsse:SecurityTokenReference usage="Sender">
        <wsse:SecurityTokenReference usage="Sender"> <wsse:Embedded>
            ...
        </wsse:Embedded> </wsse:SecurityTokenReference>
    </wsse:SecurityTokenReference>

I don't object to that, but I have had the distinct impression that other people didn't want to allow such recursive embedding.  Is it agreed that this is allowed by the decision to close 73?

C.   Consider the assertion by "Jerry" that "I have seen and approved ....". According to the dsig draft, (sections 8.1.2 and 8.1.3) a signature can be used to convey that kind of assertion. Can someone who believes signatures don't make claims explain how this fails to be a claim?

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]