OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] Issue 196 QNames: Proposal to use URIs for Type identifiers

I thought I would provide a bit of motivation for why I posted a solution to
issue 196.  I provide my understanding of the problem.  Please let me know
if I am incorrect in this being a problem or if there are other problems.

The problem occurs when the tokentype attribute is extended with a third
party token type and then the token type is canonicalized.  In particular,
the namespace name of the 3rd party token might not be in scope at the
tokentype attribute, and so a canonicalizer will not preserve the namespace
name.  A c14n implementation can be "told" the extra namespace names to
include, but this implies that the c14n implementation is coupled to the
token type implementation.  This may not be the case in some security
implementations, such as using multiple technology providers.  Using URIs
removes this dependency and also removes any potential ambiguity around
canonicalizing the token type.

cheers,
Dave

> -----Original Message-----
> From: David Orchard [mailto:dorchard@bea.com]
> Sent: Monday, December 15, 2003 8:07 AM
> To: wss@lists.oasis-open.org
> Subject: [wss] Issue 196 QNames: Proposal to use URIs for Type
> identifiers
>
>
> This proposes to use URIs instead of QNames for valuetype and
> encoding type
> identifiers.  Rather than provide a mapping to URIs,
> potentially at a later
> date, the use of URIs should result in cleaner and more
> secure environments.
>
> The first part of this proposal is that valueTypeEnum should
> be of type URI.
> The WSSE specification defines 5 values for this URI,
> replacing the current
> QNames.  The URI for identifying these types could be constructed in a
> variety of ways.
>
> The following shows identifiers using the fragment identifier
> syntax.  For
> the valuetypeenums, this looks like (pending the actual URI
> assigned for the
> wsse namespace):
> http://www.oasis-open.org/wsseuri#X509v3
> http://www.oasis-open.org/wsseuri#Kerberosv5TGT
> http://www.oasis-open.org/wsseuri#5ST
> http://www.oasis-open.org/wsseuri#PKCS7
> http://www.oasis-open.org/wsseuri#PKIPath
>
> And for encoding types this is:
> http://www.oasis-open.org/wsseuri#Base64Binary
> http://www.oasis-open/org/wsseuri#HexBinary
>
> This might also require a simple change to the schema to add
> these IDs to
> the schema.
>
> This could easily be a "/" separator instead of "#" as well.
> The # would
> definitely be a good way to go if there was a wsse media
> type.  But there
> isn't, so "/" could also be acceptable.
>
> Cheers,
> Dave
>
>
> To unsubscribe from this mailing list (and be removed from
> the roster of the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php
.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]