RE: [wss] Groups - oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdfuploaded

[Anthony Nadalin <drsecure@us.ibm.com>]

Got it thanks

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Martin Gudgin" <mgudgin@microsoft.com>

"Martin Gudgin" <mgudgin@microsoft.com>

05/21/2005 09:34 PM

To	Anthony Nadalin/Austin/IBM@IBMUS, <wss@lists.oasis-open.org>
cc
Subject	RE: [wss] Groups - oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdf uploaded

Tony,

A few other comments (and a correction).

1. My lack of familiarity with RFC5110 led to my proposed text being
potentially misleading, sorry. Apparently the term 'session key' in
RFC5110 means 'Ticket key' . Another (preferable) alternative for 2.
below would be to remove section 3.3 altogether and duplicate the
language in 3.4 and 3.5; e.g.

"The value of the signature or encryption key is constructed from the
value of the Kerberos sub-key when it is present in the authenticator or
a session key from the ticket if the sub-key is absent, either by using
the kerberos sub-key or session key directly or using a key derived from
that key using a mechanism agreed to by the communicating parties."

2. As RFC5110 doesn't define a type for the checksum field, we should
add the following text to section 3.2:

"Both token types defined in this section use the type 0x8003 defined in
RFC1964 for the checksum field of the authenticator inside the AP_REQ."

I believe this is the value that was agreed to during the interop event.

3. In section 3.4 shouldn't the ValueType attribute be on the
wsse:KeyIdentifier element? In the example on lines 193-210 you have it
on the wsse:SecurityTokenReference element.

4. Also in section 3.4, shouldn't we have a specific ValueType URI for
the reference? For example, in the X509 profile, the token types have
ValueType URIs, but the reference types have different URIs. In this
case, I think we should have a URI along the lines of;

http://docs.oasisopen.org/wss/2005/xx/oasis-2005xx-wsskerberos-token-pro
file-1.0#Kerberosv5APREQSHA1

Does that make sense?

Cheers

Gudge

> -----Original Message-----
> From: Martin Gudgin [mailto:mgudgin@microsoft.com]
> Sent: 17 May 2005 15:16
> To: drsecure@us.ibm.com; wss@lists.oasis-open.org
> Subject: RE: [wss] Groups -
> oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdf uploaded
>
> Tony,
>
> A couple of comments
>
> 1. Line 116, 'one value' should now be 'two values'
>
> 2. Between the text in 3.3 and the text in 3.5/3.6 It doesn't seem
> completely clear when the sub-session key should be used. I
> wonder if we
> should edit line 218-219 to read something like;
>
> The value of the signature key is the value of the Kerberos
> session key
> (see Section 3.3 for how to determine which value to use for the
> session key)
> or a key derived from this session key using a mechanism agreed
> to by the communicating parties.
>
> where the parenthetical statement is the extra text. The same
> would apply to line 224-225
>
> Gudge
>  
>
> > -----Original Message-----
> > From: drsecure@us.ibm.com [mailto:drsecure@us.ibm.com]
> > Sent: 16 May 2005 17:38
> > To: wss@lists.oasis-open.org
> > Subject: [wss] Groups -
> > oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdf uploaded
> >
> > The document revision named
> > oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdf has
> > been submitted
> > by Anthony Nadalin to the OASIS Web Services Security (WSS)
> > TC document
> > repository.  This document is revision #3 of
> > oasis-xxxxxx-wss-kerberos-token-profile-1 0-changebar.pdf.
> >
> > Document Description:
> > Minor edits and cleanup of URLs
> >
> > View Document Details:
> > http://www.oasis-open.org/apps/org/workgroup/wss/document.php?
> > document_id=12671
> >
> > Download Document:  
> > http://www.oasis-open.org/apps/org/workgroup/wss/download.php/
> > 12671/oasis-2005xx-wss-kerberos-token-profile-1.0-changes.pdf
> >
> > Revision:
> > This document is revision #3 of
> > oasis-xxxxxx-wss-kerberos-token-profile-1
> > 0-changebar.pdf.  The document details page referenced above
> > will show the
> > complete revision history.
> >
> >
> > PLEASE NOTE:  If the above links do not work for you, your
> > email application
> > may be breaking the link into two pieces.  You may be able to
> > copy and paste
> > the entire link address into the address field of your web browser.
> >
> > -OASIS Open Administration
> >
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all
> your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr
oups.php
>
>