OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] Groups - WSS-SAML-08.pdf uploaded


Thanks for the comments, I will incorporate your suggestions in the next 

Levinson, Richard wrote:

>I have a couple of comments on the WS-SAML profile spec
>that I would like you to consider. They all have to do with
>whether the examples are in synch with the intended
>statements in the specification sections (page and line numbers
>refer to the merged version of the WS-SAML profile spec. Note there 
>are also some line number references to the WS-Core spec which
>contains related information to some of the comments)
>	1 Should the STR dereference transform as described in
>	  section 3.3.3 (p12 line 384-387) be used in the 
>	  sender-vouches scenario in section (p. 19
>	  lines 702-707)? I guess this also raises the question
>	  of whether the saml assertion should stand alone in
>	  the wsse:Security header or be embedded as suggested
>	  in the WS-Core spec (12/29 merged version lines 778-788).
Yes, this case should follow the example beginning on line 391, although
all of the examples, including the one I cite need to be reviewed.

>	2 Based on the use of prepending (p 14 lines 460-464):
>	  for the hk example (p 15-17), should the Signature come
>	  first according to the prepending rules? Since one would
>	  probably first put the assertion in the header, then do 
>	  the signing which refers to the assertion in the KeyInfo
>	  (p 16 lines 573-578), and since the signing came last the 
>	  prepending rule I assume would dictate that the signature should 
>	  appear first in the wsse:Security header.
My understanding of the core, line 445-446, is that "the key-bearing
element SHOULD be ordered to precede the key-using Element". I am
also confused by the way the ordering rules are described in the core.

>	  NOTE: I'm not 100% sure of this because even in the WS-core spec
>	  (12/29 rev) the prepending rule for sigs (p 30 line 916) seems
>	  to be in conflict with the example (p41-42 lines 1336-1346
>	  where those elements (Timestamp and BinarySecurityToken) are
>	  referenced by the Signature (lines 1370 (031), 1396 (053)).
>	3 Similarly, the Signature (p 19 lines 696-720) in the
>	  case probably should appear first in the wsse:Security element
>	  (p 18 line 639), assuming my interpretation of prepending is
BTW, in section 3.3, we need to change the way SAML keyIdentifier references
are composed, as the Binding and Location attributes are not global. 
Perhaps we can
use the SAML AuthorityBinding construct, as apposed to its internal 



>	Thanks,
>	Rich Levinson
>-----Original Message-----
>From: ronald.monzillo@sun.com [mailto:ronald.monzillo@sun.com] 
>Sent: Tuesday, December 16, 2003 10:32 AM
>To: wss@lists.oasis-open.org
>Subject: [wss] Groups - WSS-SAML-08.pdf uploaded
>The document WSS-SAML-08.pdf has been submitted by ronald monzillo
>(ronald.monzillo@sun.com) to the OASIS Web Services Security TC document
>Document Description:
>Download Document:  
>View Document Details:
>PLEASE NOTE:  If the above links do not work for you, your email application
>may be breaking the link into two pieces.  You may be able to copy and paste
>the entire link address into the address field of your web browser.
>To unsubscribe from this mailing list (and be removed from the roster of the
>OASIS TC), go to
>To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]