OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] Action Item 2005-08-23-01: Kerberos Token Profile andRFC1510 vs RFC 4120

We may also wish to consider adding some form of attribute to allow a 
message to declare that the attached token is either compliant with 4120 
or 1510.  The statement in 4120 says they are not compatible.

Interop will be the true test.  There are requirements for processing 
4120 tickets written in the new RFC that mention backwards processing 
although my take was it is mostly clarification.

Duane

Anthony Nadalin wrote:

> So profile states:
>
> "Kerberos tokens are attached to SOAP messages using WSS: SOAP Message 
> Security by using the <wsse:BinarySecurityToken> described in WSS: 
> SOAP Message Security. When using this element, the /@ValueType/ 
> attribute MUST be specified. This specification defines two values for 
> this token as defined in the table below:"
>
> So I assume that 4120 URIs are optional and that one MUST be able t 
> implement one of the 2 1510 URIs
>
>
> Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
> Inactive hide details for "Martin Gudgin" 
> <mgudgin@microsoft.com>"Martin Gudgin" <mgudgin@microsoft.com>
>
>
>                         *"Martin Gudgin" <mgudgin@microsoft.com>*
>
>                         09/05/2005 08:16 AM
>
> 	
>
> To
> 	
> <wss@lists.oasis-open.org>
>
> cc
> 	
>
> Subject
> 	
> [wss] Action Item 2005-08-23-01: Kerberos Token Profile and RFC1510 vs 
> RFC 4120
>
> 	
>
>
> Having surveyed the vast array of interop participants I believe we have
> two possible courses of action;
>
>
> 1. Do nothing.
>
> 2. Update the Kerberos Token Profile by making the following
> changes;
>
> a) Add a reference to RFC4120 to Section 5.
>
> b) Add 4 URIs to the table in Section 3.2 as follows
>
> URI:
> http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-p
> rofile-1.1#Kerberosv5_AP_REQ1510
> Description: Kerberos v5 AP-REQ as defined in RFC1510. This ValueType is
> used when the ticket is an AP Request per RFC1510
>
> URI:
> http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-p
> rofile-1.1#GSS_Kerberosv5_AP_REQ1510
> Description: A GSS wrapped Kerberos v5 AP-REQ as defined in the GSSAPI
> specification. This ValueType is used when the ticket is an AP Request
> (ST + Authenticator) per RFC1510.
>
> URI:
> http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-p
> rofile-1.1#Kerberosv5_AP_REQ4120
> Description: Kerberos v5 AP-REQ as defined in RFC4120. This ValueType is
> used when the ticket is an AP Request per RFC4120
>
> URI:
> http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-p
> rofile-1.1#GSS_Kerberosv5_AP_REQ4120
> Description: A GSS wrapped Kerberos v5 AP-REQ as defined in the GSSAPI
> specification. This ValueType is used when the ticket is an AP Request
> (ST + Authenticator) per RFC4120.
>
> c) Amend the descriptions of the first URI currently in Section
> 3.2 as follows;
>
> URI:
> http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-p
> rofile-1.1#Kerberosv5_AP_REQ
> Description: Kerberos v5 AP-REQ as defined in either RFC1510 and
> RFC4120. This ValueType is used when the ticket is an AP Request.
>
>
> Regards
>
> Gudge
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in 
> OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]