OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] Issue 310: Multiple reference forms in aSecurityTokenReference

My action item from today's TC call

Thumbprint references were developed as a means to ensure an unambiguous 
token reference;
especially to ensure that authorized claims are attributed to a message 
as a result of
a successful signature validation.

I inserted some comments on the following text.

Vijay Gajjala wrote:

>There are two parts to the proposal. 
>1. This specification allows for the use of multiple reference
>mechanisms within a single SecurityTokenReference. When multiple
>references are present in a given SecurityTokenReference, they MUST
>resolve to a single token in common. Specific token profiles SHOULD
It would seem simpler to say to the same token, but that would seem to 
embody a
paradox, as the apparent reason for the use of thumbprints is the 
potential ambiguity
of the augmented reference form. IOW, If the reference from being augmented
by the thumbprint must resolve to one token (i.e the same token), then 
it would
seem difficult to justify the need for the thumbprint.

It would seem that the phrase "single token in common" is intended to mean
that there must be one token in the intersection of the token sets 
resulting from
the resolution of the various reference forms.

That seems correct to me; but maybe folks should comment, or further 
clarify the

>define the reference mechanisms to be used. 
>2. A thumbprint reference MUST occur in combination with a required to
>be supported (by the applicable profile) reference form unless 
>. a thumbprint reference is among the reference forms required to be
>supported by the applicable profle, or
>. the parties to the communication have agreed to accept only thumbprint
agreeing to accept references with only a thumbprint, is a
superset of agreeding to accept only thumbprint references.


s/only thumbprint/thumbprint only/


>Let us discuss applicabilty of the two parts to the specific issue at
>our conf call tomorrow.
>To unsubscribe, e-mail: wss-unsubscribe@lists.oasis-open.org
>For additional commands, e-mail: wss-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]