OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] Comments on SAML Token Profile



Ramana Turlapati wrote:

>1. The example for "sender-vouches" use case seems really complex. Can this
>be substituted with something simpler, say Scenario III from interop draft?
>or alternatively line by line documentation for the current example might
>help.
>
Ramana,

You are the second person to ask for a clarification of the 
sender-vouches "example".
I will add some more explanatory text to the paragraph preceding the 
example. below,
I have pasted the response I sent when a simialr comment was made.

> The sender-vouches example in 3.4.2.3 is perhaps a little more than it 
> seems.
>
> The example uses only SAML assertions, and thus there is
> a holder-of-key assertion (referenced by STR 2) from keyInfo that is
> being used to carry the key of the vouching sender. The sender-vouches
> confirmed assertion is referenced from SignedInfo (by id = "#STR1") and
> is being signed by the key in the holder-of-key assertion.
>
> The example could have used a keyIdentifier reference to an X509 cert 
> from
> KeyInfo, but as I noted above, I was trying to show an all SAML example.
>
>2. Profile does not cover SAML "Bearer" tokens. Is this scoped for future?
>  
>
The profile requires support for the sender-vouches and holder-of-key
confirmation mechanisms. It does not preclude the inclusion or referencing
of assertions with other confirmation mechanisms (including bearer) .
It does not not profile the confirmation semantics relating to other 
confirmation
mechanisms.

If the TC  wishes to add a requirement that implementors of the profile
support specific confirmation semantics for other confirmation mechanisms
(e.g. "bearer") then we will add them to the profile.

Thanks for the comments, and I hope that my answers are satisfactory,

Ron

>Thanks
>
>/T$R
>(Ramana Turlapati)
>
>
>To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.
>
>  
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]