wss message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE: [wss] Groups - oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdfuploaded
- From: Anthony Nadalin <drsecure@us.ibm.com>
- To: "Martin Gudgin" <mgudgin@microsoft.com>
- Date: Mon, 30 May 2005 14:16:36 -0500
Got it thanks
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Martin Gudgin" <mgudgin@microsoft.com>
"Martin Gudgin" <mgudgin@microsoft.com>
05/21/2005 09:34 PM
|
|
Tony,
A few other comments (and a correction).
1. My lack of familiarity with RFC5110 led to my proposed text being
potentially misleading, sorry. Apparently the term 'session key' in
RFC5110 means 'Ticket key' . Another (preferable) alternative for 2.
below would be to remove section 3.3 altogether and duplicate the
language in 3.4 and 3.5; e.g.
"The value of the signature or encryption key is constructed from the
value of the Kerberos sub-key when it is present in the authenticator or
a session key from the ticket if the sub-key is absent, either by using
the kerberos sub-key or session key directly or using a key derived from
that key using a mechanism agreed to by the communicating parties."
2. As RFC5110 doesn't define a type for the checksum field, we should
add the following text to section 3.2:
"Both token types defined in this section use the type 0x8003 defined in
RFC1964 for the checksum field of the authenticator inside the AP_REQ."
I believe this is the value that was agreed to during the interop event.
3. In section 3.4 shouldn't the ValueType attribute be on the
wsse:KeyIdentifier element? In the example on lines 193-210 you have it
on the wsse:SecurityTokenReference element.
4. Also in section 3.4, shouldn't we have a specific ValueType URI for
the reference? For example, in the X509 profile, the token types have
ValueType URIs, but the reference types have different URIs. In this
case, I think we should have a URI along the lines of;
http://docs.oasisopen.org/wss/2005/xx/oasis-2005xx-wsskerberos-token-pro
file-1.0#Kerberosv5APREQSHA1
Does that make sense?
Cheers
Gudge
> -----Original Message-----
> From: Martin Gudgin [mailto:mgudgin@microsoft.com]
> Sent: 17 May 2005 15:16
> To: drsecure@us.ibm.com; wss@lists.oasis-open.org
> Subject: RE: [wss] Groups -
> oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdf uploaded
>
> Tony,
>
> A couple of comments
>
> 1. Line 116, 'one value' should now be 'two values'
>
> 2. Between the text in 3.3 and the text in 3.5/3.6 It doesn't seem
> completely clear when the sub-session key should be used. I
> wonder if we
> should edit line 218-219 to read something like;
>
> The value of the signature key is the value of the Kerberos
> session key
> (see Section 3.3 for how to determine which value to use for the
> session key)
> or a key derived from this session key using a mechanism agreed
> to by the communicating parties.
>
> where the parenthetical statement is the extra text. The same
> would apply to line 224-225
>
> Gudge
>
>
> > -----Original Message-----
> > From: drsecure@us.ibm.com [mailto:drsecure@us.ibm.com]
> > Sent: 16 May 2005 17:38
> > To: wss@lists.oasis-open.org
> > Subject: [wss] Groups -
> > oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdf uploaded
> >
> > The document revision named
> > oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdf has
> > been submitted
> > by Anthony Nadalin to the OASIS Web Services Security (WSS)
> > TC document
> > repository. This document is revision #3 of
> > oasis-xxxxxx-wss-kerberos-token-profile-1 0-changebar.pdf.
> >
> > Document Description:
> > Minor edits and cleanup of URLs
> >
> > View Document Details:
> > http://www.oasis-open.org/apps/org/workgroup/wss/document.php?
> > document_id=12671
> >
> > Download Document:
> > http://www.oasis-open.org/apps/org/workgroup/wss/download.php/
> > 12671/oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdf
> >
> > Revision:
> > This document is revision #3 of
> > oasis-xxxxxx-wss-kerberos-token-profile-1
> > 0-changebar.pdf. The document details page referenced above
> > will show the
> > complete revision history.
> >
> >
> > PLEASE NOTE: If the above links do not work for you, your
> > email application
> > may be breaking the link into two pieces. You may be able to
> > copy and paste
> > the entire link address into the address field of your web browser.
> >
> > -OASIS Open Administration
> >
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. You may a link to this group and all
> your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr
oups.php
>
>
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]