wss message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [wss] Action Item 2005-08-23-01: Kerberos Token Profile and RFC1510 vsRFC 4120
- From: Anthony Nadalin <drsecure@us.ibm.com>
- To: Ronald.Monzillo@Sun.COM
- Date: Tue, 4 Oct 2005 12:02:53 -0500
Not true Ron, there is nothing saying that a receiver has to accept new attributes that they don't understand
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
ronald monzillo <Ronald.Monzillo@Sun.COM>
ronald monzillo <Ronald.Monzillo@Sun.COM>
10/04/2005 08:26 AM
Please respond to
Ronald.Monzillo |
|
|
A 1.0 receivers should not choke if they get a new attribute; as the
schema was defined for such extensibility.
Anthony Nadalin wrote On 10/03/05 22:41,:
> Why should 1.1 senders be required to send it as 1.0 endpoints may choke
> if they get it
>
> Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
> ronald monzillo <Ronald.Monzillo@Sun.COM>
>
>
> * ronald monzillo <Ronald.Monzillo@Sun.COM> *
>
> 10/03/2005 01:20 PM
> Please respond to
> Ronald.Monzillo
>
>
>
> To
>
> Martin Gudgin <mgudgin@microsoft.com>
>
> cc
>
> Ronald.Monzillo@Sun.COM, wss@lists.oasis-open.org
>
> Subject
>
> Re: [wss] Action Item 2005-08-23-01: Kerberos Token Profile and RFC1510
> vs RFC 4120
>
>
>
>
>
>
> Martin Gudgin wrote On 10/03/05 08:17,:
>>
>>
>>
>>>-----Original Message-----
>>>From: ronald monzillo [mailto:Ronald.Monzillo@Sun.COM]
>>>Sent: 20 September 2005 16:30
>>>To: Martin Gudgin
>>>Cc: Ronald.Monzillo@Sun.COM; wss@lists.oasis-open.org
>>>Subject: Re: [wss] Action Item 2005-08-23-01: Kerberos Token
>>>Profile and RFC1510 vs RFC 4120
>>>
>>>
>>>
>>>Martin Gudgin wrote On 09/20/05 10:42,:
>>>
>>>>Ron,
>>>>
>>>>Sorry, I've just found this... I think I agree that we need to say
>>>>something about wsse11:TokenType.
>>>>
>>>>Regarding whether we define values for ValueType, I think
>>>
>>>it depends on
>>>
>>>>whether you think 1.1 token types can be used with WSS 1.0.
>>>>
>>>
>>>thanks - If necessary, I am OK with senders being required to specify
>>>ValueType in addition to TokenType (for this profile)
>>
>>
>> I think my point was that a 1.0 sender might want to use the Kerberos
>> token. Such a sender would not know about wsse11:TokenType.
>
> Gudge,
>
>
> thanks for the clarification - I would prefer that the tokenType
> attribute always be specified, but given that some receivers will not
> see it even if it is sent, I accept that 1.0 implementations not be
> required to send it.
>
> If this is both a 1.0 and 1.1 profile, then it should spell out the
> requirements in each context (of course it would be simpler to focus on 1.1)
>
> e.g. 1.1 senders are required to set tokenType; 1.0 are not.
>
> would you recommend that keyidentifier:valueType also be sent in either
> context?
>
> Since the uri values are just now being invented, is there an
> opportunity to limit the use of these uri's to only within BST:ValueType?
>
> Ron
>>
>> Gudge
>>
>>
>>>Ron
>>>
>>>>Gudge
>>>>
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>From: Ron Monzillo [mailto:Ronald.Monzillo@Sun.COM]
>>>>>Sent: 06 September 2005 09:16
>>>>>To: Martin Gudgin
>>>>>Cc: wss@lists.oasis-open.org
>>>>>Subject: Re: [wss] Action Item 2005-08-23-01: Kerberos Token
>>>>>Profile and RFC1510 vs RFC 4120
>>>>>
>>>>>Martin,
>>>>>
>>>>>Does the Krb5 token profile require that 1.1 message senders set the
>>>>>wsse:TokenType attribute in STR values?
>>>>>
>>>>>Note that in lines 924 to 928 of the core we recommended that use of
>>>>>the Reference:ValueType attribute to identify the type of a
>>>
>>>referenced
>>>
>>>>>token be discontinued (and that new profiles should employ
>>>>>the TokenType
>>>>>attribute for this purpose).
>>>>>
>>>>>we expect that this may be an evolutionary process, where for
>>>>>some time,
>>>>>the ValueType attribute may continue to be used in addition to the
>>>>>TokenType attribute.
>>>>>
>>>>>Since the KrB5 profile is being standardized by 1.1, it would
>>>>>seem that
>>>>>we could do without specifying new values to be included in
>>>
>>>ValuType,
>>>
>>>>>and that these new token type identifying values could and should be
>>>>>introduced as TokenType values.
>>>>>
>>>>>Ron
>>>>>
>>>>>
>>>>>
>>>>>Martin Gudgin wrote:
>>>>>
>>>>>
>>>>>>Having surveyed the vast array of interop participants I
>>>>>
>>>>>believe we have
>>>>>
>>>>>
>>>>>>two possible courses of action;
>>>>>>
>>>>>>
>>>>>>1. Do nothing.
>>>>>>
>>>>>>2. Update the Kerberos Token Profile by making the following
>>>>>>changes;
>>>>>>
>>>>>> a) Add a reference to RFC4120 to Section 5.
>>>>>>
>>>>>> b) Add 4 URIs to the table in Section 3.2 as follows
>>>>>>
>>>>>>URI:
>>>>>>
>>>>>
>>>>>http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerber
>>>>>os-token-p
>>>>>
>>>>>
>>>>>>rofile-1.1#Kerberosv5_AP_REQ1510
>>>>>>Description: Kerberos v5 AP-REQ as defined in RFC1510. This
>>>>>
>>>>>ValueType is
>>>>>
>>>>>
>>>>>>used when the ticket is an AP Request per RFC1510
>>>>>>
>>>>>>URI:
>>>>>>
>>>>>
>>>>>http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerber
>>>>>os-token-p
>>>>>
>>>>>
>>>>>>rofile-1.1#GSS_Kerberosv5_AP_REQ1510
>>>>>>Description: A GSS wrapped Kerberos v5 AP-REQ as defined in
>>>>>
>>>>>the GSSAPI
>>>>>
>>>>>
>>>>>>specification. This ValueType is used when the ticket is an
>>>>>
>>>>>AP Request
>>>>>
>>>>>
>>>>>>(ST + Authenticator) per RFC1510.
>>>>>>
>>>>>>URI:
>>>>>>
>>>>>
>>>>>http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerber
>>>>>os-token-p
>>>>>
>>>>>
>>>>>>rofile-1.1#Kerberosv5_AP_REQ4120
>>>>>>Description: Kerberos v5 AP-REQ as defined in RFC4120. This
>>>>>
>>>>>ValueType is
>>>>>
>>>>>
>>>>>>used when the ticket is an AP Request per RFC4120
>>>>>>
>>>>>>URI:
>>>>>>
>>>>>
>>>>>http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerber
>>>>>os-token-p
>>>>>
>>>>>
>>>>>>rofile-1.1#GSS_Kerberosv5_AP_REQ4120
>>>>>>Description: A GSS wrapped Kerberos v5 AP-REQ as defined in
>>>>>
>>>>>the GSSAPI
>>>>>
>>>>>
>>>>>>specification. This ValueType is used when the ticket is an
>>>>>
>>>>>AP Request
>>>>>
>>>>>
>>>>>>(ST + Authenticator) per RFC4120.
>>>>>>
>>>>>> c) Amend the descriptions of the first URI currently in Section
>>>>>>3.2 as follows;
>>>>>>
>>>>>>URI:
>>>>>>
>>>>>
>>>>>http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerber
>>>>>os-token-p
>>>>>
>>>>>
>>>>>>rofile-1.1#Kerberosv5_AP_REQ
>>>>>>Description: Kerberos v5 AP-REQ as defined in either RFC1510 and
>>>>>>RFC4120. This ValueType is used when the ticket is an AP Request.
>>>>>>
>>>>>>
>>>>>>Regards
>>>>>>
>>>>>>Gudge
>>>>>>
>>>>>>
>>>>>
>>>>>------------------------------------------------------------
>>>
>>>---------
>>>
>>>>>>To unsubscribe from this mail list, you must leave the
>>>
>>>OASIS TC that
>>>
>>>>>>generates this mail. You may a link to this group and all
>>>>>
>>>>>your TCs in OASIS
>>>>>
>>>>>
>>>>>>at:
>>>>>>
>>>>>
>>>>>https://www.oasis-open.org/apps/org/workgroup/portal/my_work
>>>
>>>groups.php
>>>
>>>>>--
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>---------------------------------------------------------------------
>>>
>>>>To unsubscribe from this mail list, you must leave the OASIS TC that
>>>>generates this mail. You may a link to this group and all
>>>
>>>your TCs in OASIS
>>>
>>>>at:
>>>>
>>>
>>>https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>>
>>>--
>>>
>>>
>>>
>
> --
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
--
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
