[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] Groups - oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdf uploaded
Tony, A few other comments (and a correction). 1. My lack of familiarity with RFC5110 led to my proposed text being potentially misleading, sorry. Apparently the term 'session key' in RFC5110 means 'Ticket key' . Another (preferable) alternative for 2. below would be to remove section 3.3 altogether and duplicate the language in 3.4 and 3.5; e.g. "The value of the signature or encryption key is constructed from the value of the Kerberos sub-key when it is present in the authenticator or a session key from the ticket if the sub-key is absent, either by using the kerberos sub-key or session key directly or using a key derived from that key using a mechanism agreed to by the communicating parties." 2. As RFC5110 doesn't define a type for the checksum field, we should add the following text to section 3.2: "Both token types defined in this section use the type 0x8003 defined in RFC1964 for the checksum field of the authenticator inside the AP_REQ." I believe this is the value that was agreed to during the interop event. 3. In section 3.4 shouldn't the ValueType attribute be on the wsse:KeyIdentifier element? In the example on lines 193-210 you have it on the wsse:SecurityTokenReference element. 4. Also in section 3.4, shouldn't we have a specific ValueType URI for the reference? For example, in the X509 profile, the token types have ValueType URIs, but the reference types have different URIs. In this case, I think we should have a URI along the lines of; http://docs.oasisopen.org/wss/2005/xx/oasis-2005xx-wsskerberos-token-pro file-1.0#Kerberosv5APREQSHA1 Does that make sense? Cheers Gudge > -----Original Message----- > From: Martin Gudgin [mailto:mgudgin@microsoft.com] > Sent: 17 May 2005 15:16 > To: drsecure@us.ibm.com; wss@lists.oasis-open.org > Subject: RE: [wss] Groups - > oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdf uploaded > > Tony, > > A couple of comments > > 1. Line 116, 'one value' should now be 'two values' > > 2. Between the text in 3.3 and the text in 3.5/3.6 It doesn't seem > completely clear when the sub-session key should be used. I > wonder if we > should edit line 218-219 to read something like; > > The value of the signature key is the value of the Kerberos > session key > (see Section 3.3 for how to determine which value to use for the > session key) > or a key derived from this session key using a mechanism agreed > to by the communicating parties. > > where the parenthetical statement is the extra text. The same > would apply to line 224-225 > > Gudge > > > > -----Original Message----- > > From: drsecure@us.ibm.com [mailto:drsecure@us.ibm.com] > > Sent: 16 May 2005 17:38 > > To: wss@lists.oasis-open.org > > Subject: [wss] Groups - > > oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdf uploaded > > > > The document revision named > > oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdf has > > been submitted > > by Anthony Nadalin to the OASIS Web Services Security (WSS) > > TC document > > repository. This document is revision #3 of > > oasis-xxxxxx-wss-kerberos-token-profile-1 0-changebar.pdf. > > > > Document Description: > > Minor edits and cleanup of URLs > > > > View Document Details: > > http://www.oasis-open.org/apps/org/workgroup/wss/document.php? > > document_id=12671 > > > > Download Document: > > http://www.oasis-open.org/apps/org/workgroup/wss/download.php/ > > 12671/oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdf > > > > Revision: > > This document is revision #3 of > > oasis-xxxxxx-wss-kerberos-token-profile-1 > > 0-changebar.pdf. The document details page referenced above > > will show the > > complete revision history. > > > > > > PLEASE NOTE: If the above links do not work for you, your > > email application > > may be breaking the link into two pieces. You may be able to > > copy and paste > > the entire link address into the address field of your web browser. > > > > -OASIS Open Administration > > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all > your TCs in OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr oups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]