[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [Fwd: Re: [wss] Action Item 2005-08-23-01: Kerberos Token Profile andRFC1510 vs RFC 4120]
Martin, As breifly discussed in today's call, I sent this msg based on an action item I received in our previous call. That action was basically to determine if the krb5 tp employs the TokenType attribute. I asked this question when I saw that uri values were being defined for use in the ValueType attribute. Ron -------- Original Message -------- Subject: Re: [wss] Action Item 2005-08-23-01: Kerberos Token Profile and RFC1510 vs RFC 4120 Date: Tue, 06 Sep 2005 12:16:09 -0400 From: Ron Monzillo <Ronald.Monzillo@Sun.COM> Reply-To: Ronald.Monzillo@Sun.COM To: Martin Gudgin <mgudgin@microsoft.com> CC: wss@lists.oasis-open.org References: <DD35CC66F54D8248B6E04232892B633806D86CDD@RED-MSG-43.redmond.corp.microsoft.com> Martin, Does the Krb5 token profile require that 1.1 message senders set the wsse:TokenType attribute in STR values? Note that in lines 924 to 928 of the core we recommended that use of the Reference:ValueType attribute to identify the type of a referenced token be discontinued (and that new profiles should employ the TokenType attribute for this purpose). we expect that this may be an evolutionary process, where for some time, the ValueType attribute may continue to be used in addition to the TokenType attribute. Since the KrB5 profile is being standardized by 1.1, it would seem that we could do without specifying new values to be included in ValuType, and that these new token type identifying values could and should be introduced as TokenType values. Ron Martin Gudgin wrote: > Having surveyed the vast array of interop participants I believe we have > two possible courses of action; > > > 1. Do nothing. > > 2. Update the Kerberos Token Profile by making the following > changes; > > a) Add a reference to RFC4120 to Section 5. > > b) Add 4 URIs to the table in Section 3.2 as follows > > URI: > http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-p > rofile-1.1#Kerberosv5_AP_REQ1510 > Description: Kerberos v5 AP-REQ as defined in RFC1510. This ValueType is > used when the ticket is an AP Request per RFC1510 > > URI: > http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-p > rofile-1.1#GSS_Kerberosv5_AP_REQ1510 > Description: A GSS wrapped Kerberos v5 AP-REQ as defined in the GSSAPI > specification. This ValueType is used when the ticket is an AP Request > (ST + Authenticator) per RFC1510. > > URI: > http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-p > rofile-1.1#Kerberosv5_AP_REQ4120 > Description: Kerberos v5 AP-REQ as defined in RFC4120. This ValueType is > used when the ticket is an AP Request per RFC4120 > > URI: > http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-p > rofile-1.1#GSS_Kerberosv5_AP_REQ4120 > Description: A GSS wrapped Kerberos v5 AP-REQ as defined in the GSSAPI > specification. This ValueType is used when the ticket is an AP Request > (ST + Authenticator) per RFC4120. > > c) Amend the descriptions of the first URI currently in Section > 3.2 as follows; > > URI: > http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-p > rofile-1.1#Kerberosv5_AP_REQ > Description: Kerberos v5 AP-REQ as defined in either RFC1510 and > RFC4120. This ValueType is used when the ticket is an AP Request. > > > Regards > > Gudge > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > -- --
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]