AW: [ws-sx] Issue 27: When to include a token?

["Dittmann, Werner" <werner.dittmann@siemens.com>]

You are rigth about the core spec. The issue I see that there
is no spec how a embedded token sould be formatted when
it is embedded. An older (pre-Standard) WSS spec described
that a X.509 token must be put in a KeyInfo, described a specific
URI to describe the type in the STR etc. This way an
embedded X.509 token could be identified. These descriptions
are not longer available. IMHO, if this is not defined then
it couldn't be used in a safe and interoperable way.

Thus I propose that for tokens whose profile does not define  
how to "embed" a token the "embedded" option should be deleted
in WSP.

Regards,
Werner

> -----Ursprüngliche Nachricht-----
> Von: Martin Gudgin [mailto:mgudgin@microsoft.com] 
> Gesendet: Mittwoch, 1. März 2006 13:20
> An: Dittmann, Werner; Marc Goodner; ws-sx@lists.oasis-open.org
> Betreff: RE: [ws-sx] Issue 27: When to include a token?
> 
> I've not seen any further discussion on this, so I'll just 
> state that it's my understanding that the WSS 1.0 and 1.1 
> Core specs define a mechanism for embedding any type of token 
> inside a Security Token Reference. There is no need for a 
> token profile to explicitly call out the embedded reference form.
> 
> Gudge
> 
> > -----Original Message-----
> > From: Martin Gudgin [mailto:mgudgin@microsoft.com] 
> > Sent: 20 February 2006 15:34
> > To: Dittmann, Werner; Marc Goodner; ws-sx@lists.oasis-open.org
> > Subject: RE: [ws-sx] Issue 27: When to include a token?
> > 
> > Hmm, by that token[sic] only SAML tokens can appear in 
> > wsse:Embedded as none of the other token profiles make 
> > explicit mention of embedded. 
> > 
> > Was this really the intention of the WSS TC?
> > 
> > Gudge
> > 
> > > -----Original Message-----
> > > From: Dittmann, Werner [mailto:werner.dittmann@siemens.com] 
> > > Sent: 19 February 2006 23:36
> > > To: Martin Gudgin; Marc Goodner; ws-sx@lists.oasis-open.org
> > > Subject: AW: [ws-sx] Issue 27: When to include a token?
> > > 
> > > Regarding the WSS 1.0 section 7.4 you are right. 
> > > 
> > > The WSS 1.0 X.509 token profile restricts token references
> > > to:
> > > - Subject Key Identifier
> > > - Direct reference using a URI 
> > > - Issuer and Serial number 
> > > 
> > > IMHO the profile description takes precedence.
> > > 
> > > Regards,
> > > Werner
> > > 
> > > > -----Ursprüngliche Nachricht-----
> > > > Von: Martin Gudgin [mailto:mgudgin@microsoft.com] 
> > > > Gesendet: Montag, 20. Februar 2006 02:39
> > > > An: Dittmann, Werner; Marc Goodner; ws-sx@lists.oasis-open.org
> > > > Betreff: RE: [ws-sx] Issue 27: When to include a token?
> > > > 
> > > > I looked at WSS 1.0[1] and section 7.4 seems to describe a 
> > > > mechanism for embedded *any* token type. By my reading of 
> > > > that section, an embedded X509 cert would look something like;
> > > > 
> > > > <wsse:SecurityTokenReference>
> > > >  <wsse:Embedded>
> > > >   <wsse:BinarySecurityToken ValueType='wsse:X509v3' 
> > > > EncodingType='wsse:Base64Binary' >
> > > >   ...
> > > >   </wsse:BinarySecuirtyToken>
> > > >  </wsse:Embedded>
> > > > </wsse:SecurityTokenReference>
> > > > 
> > > > Gudge
> > > > 
> > > > [1] 
> > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-m
> > > > essage-security-1.0.pdf
> > > > 
> > > > > -----Original Message-----
> > > > > From: Dittmann, Werner [mailto:werner.dittmann@siemens.com] 
> > > > > Sent: 16 February 2006 00:15
> > > > > To: Martin Gudgin; Marc Goodner; ws-sx@lists.oasis-open.org
> > > > > Subject: AW: [ws-sx] Issue 27: When to include a token?
> > > > > 
> > > > > Some comments inline.
> > > > > 
> > > > > Regards,
> > > > > Werner
> > > > > 
> > > > > > -----Ursprüngliche Nachricht-----
> > > > > > Von: Martin Gudgin [mailto:mgudgin@microsoft.com] 
> > > > > > Gesendet: Dienstag, 14. Februar 2006 23:55
> > > > > > An: Marc Goodner; Dittmann, Werner; 
> ws-sx@lists.oasis-open.org
> > > > > > Betreff: RE: [ws-sx] Issue 27: When to include a token?
> > > > > > 
> > > > > > Comments inline
> > > > > > 
> > > > > > Cheers
> > > > > > 
> > > > > > Gudge 
> > > > > > 
> > > > > > > -----Original Message-----
> > > > > > > From: Marc Goodner [mailto:mgoodner@microsoft.com] 
> > > > > > > Sent: 09 February 2006 20:43
> > > > > > > To: Dittmann, Werner; ws-sx@lists.oasis-open.org
> > > > > > > Subject: [ws-sx] Issue 27: When to include a token?
> > > > > > > 
> > > > > > > This is now logged as issue 27.
> > > > > > > 
> > > > > > > Marc Goodner
> > > > > > > Technical Diplomat
> > > > > > > Microsoft Corporation
> > > > > > > Tel: (425) 703-1903
> > > > > > > Blog: http://spaces.msn.com/mrgoodner/ 
> > > > > > > 
> > > > > > > 
> > > > > > > -----Original Message-----
> > > > > > > From: Dittmann, Werner 
> [mailto:werner.dittmann@siemens.com] 
> > > > > > > Sent: Thursday, February 09, 2006 12:12 AM
> > > > > > > To: ws-sx@lists.oasis-open.org
> > > > > > > Cc: Marc Goodner
> > > > > > > Subject: NEW Issue: When to include a token?
> > > > > > > 
> > > > > > > PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON 
> > > > > > THREAD UNTIL
> > > > > > > THE ISSUE IS ASSIGNED A NUMBER.
> > > > > > > 
> > > > > > > The issues coordinators will notify the list when that 
> > > > > has occurred.
> > > > > > > 
> > > > > > > Protocol:  ws-sp
> > > > > > > ws-securitypolicy-1.2-spec-ed-01-r03-diff.pdf
> > > > > > > 
> > > > > > > Artifact:  spec
> > > > > > > 
> > > > > > > Type: design
> > > > > > > 
> > > > > > > Title: When to include a token?
> > > > > > > 
> > > > > > > Description:
> > > > > > > 
> > > > > > > Using token inclusion values (chap 5.1.1) one can 
> > > > specify when to
> > > > > > > include a token. On the other hand in chap 5.3.3 
> > > > > X509Token Assertion
> > > > > > > there are ways defined how to reference a X509 token. 
> > > > For example
> > > > > > > if "RequireIssuerSerialReference" is set and the 
> > > > > inclusion value is
> > > > > > > "always": shall the token be included in the message? 
> > > > Which token
> > > > > > > shall the receipient take - the included one or the 
> > > referenced?
> > > > > > 
> > > > > > [MJG]
> > > > > > I believe that inclusion requirements and reference 
> > > > requirements are
> > > > > > orthogonal. In your example above, I would expect the X509 
> > > > > cert to be
> > > > > > carried in the message and for its IssuerSerial to match 
> > > > that in the
> > > > > > IssuerSerial in any referencing STR.
> > > > > 
> > > > > [WD]
> > > > > CAn agree. However, we had such a use case during some 
> > > > discussions on
> > > > > the WS Security list (and we actually had code in place 
> > > > that provided
> > > > > such a mechanism) but somehow the discussion showed that 
> > > this usage
> > > > > should be avoided (can't remember the reasons for it, it's 
> > > > > about 1 year
> > > > > ago). 
> > > > > 
> > > > > > > 
> > > > > > > With respect to the WS Security specification I 
> > interpret the
> > > > > > > inclusion value "always*" or "once" without any 
> additional 
> > > > > > "Require*"
> > > > > > > assertion as "include the token as a BinarySecurityToken 
> > > > > > and reference
> > > > > > > it using a Reference in the SecruityTokenReference". Is 
> > > > > > this a correct
> > > > > > > interpretation?
> > > > > > 
> > > > > > [MJG]
> > > > > > Include the token in the message and reference it 
> > using a Direct
> > > > > > Reference from the STR (e.g. reference to a wsu:Id in the 
> > > > > case of, for
> > > > > > example, a Username token ).
> > > > > > 
> > > > > > > 
> > > > > > > Also, with respect to WSS how to interpret or act on the
> > > > > > > RequireEmbeddedRefernce assertion? WSS does not 
> specify an 
> > > > > > "embedded"
> > > > > > > mechanism for X509 certificates.
> > > > > > 
> > > > > > [MJG]
> > > > > > I thought embedded was defined as the token appearing 
> > > > > verbatim inside
> > > > > > wsse:Embedded inside wsse:SecurityTokenReference but 
> > > > > perhaps my memory
> > > > > > is faulty.
> > > > > >
> > > > > [WD] Yes, some time ago in the first draft specs of WS 
> > > > > Security there was
> > > > > an identifier for such a behaviour. The current versions 
> > > > > don't support that
> > > > > any more, AFAIK.
> > > > > 
> > > > > > > 
> > > > > > > Related issues:
> > > > > > > none
> > > > > > > 
> > > > > > > Proposed Resolution:
> > > > > > > 
> > > > > > > Clarify behaviour of the "token inclusion" and "token 
> > > reference"
> > > > > > > interworking to avoid misinterpretations and 
> > probable interop 
> > > > > > > problems.
> > > > > > > 
> > > > > > > 
> > > > > > > Werner Dittmann
> > > > > > > Siemens COM MN CC BD TO
> > > > > > > mailto:Werner.Dittmann@siemens.com
> > > > > > > Tel:   +49(0)89 636 50265
> > > > > > > Mobil: +49(0)172 85 85 245
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
>