[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx] Issue 41: Clarification on token propagation of SCT required
Hi Martin, There is a difference between wst:AppliesTo and wst:Participants element semantics and I don't think they can be listed as alternatives. AFAIK wst:AppliesTo is used to determine target service(s) for which the initiator is planning to use the issued SCT whereas wst:Participants puts additional requirements on the token in terms of who can use the issued token. In other words, those two elements are orthogonal. This being said, I think semantics provided by wst:AppliesTo element is what you are looking for in the section 3.2. The current example does not use either wst:AppliesTo nor wst:Participants elements. This means that the context of the issued token is implied according the WS-Trust. I propose to change this issue from: <Quote> From the quotes above, my guess is that WS-SC should refer to the Authorized Token Participants extension element for the RST and should give an example or enhance the existing SCT Request Example (section 3.2, lines 323 ff) in section 3.3 of the WS-SC spec. </Quote> To: <Quote> WS-SC should refer to the wst:AppliesTo element for RST and RSTR and should give an example or enhance the existing SCT Request Example (section 3.2, lines 323 ff) and SCT propagation example (section 3.3, lines 399 ff) to include usage of wst:AppliesTo element. </Quote> Does this sound reasonable? Thanks, --Jan -----Original Message----- From: Marc Goodner [mailto:mgoodner@microsoft.com] Sent: Monday, February 27, 2006 10:50 AM To: martin.raepple@sap.com; ws-sx@lists.oasis-open.org Subject: [ws-sx] Issue 41: Clarification on token propagation of SCT required This is now logged as issue 41. -----Original Message----- From: martin.raepple@sap.com [mailto:martin.raepple@sap.com] Sent: Monday, February 27, 2006 5:16 AM To: ws-sx@lists.oasis-open.org Cc: Marc Goodner Subject: [ws-sx] NEW Issue: Clarification on token propagation of SCT required PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER. The issues coordinators will notify the list when that has occurred. Protocol: ws-trust / ws-sc ws-secureconversation-1.3-spec-ed-01-r03-diff.doc Artifact: spec Type: design Title: Clarification on token propagation of SCT required when STS has no prior knowledge of which parties the requester needs a token for. Description: WS-SC defines SCT token propagation in order to distribute an SCT and its POP token to the requester (context initiator) and the other parties (endpoint for secured requests). Section 3 (lines 255 ff), Establishing Security Contexts, refers to the mechanisms in WS-Trust for token propagation. If the STS has no prior knowledge of which parties the requester needs a token for, WS-Trust provides two alternatives to define theses parties in the RST: - wsp:AppliesTo in RST and RSTR, Section 4.2.1 (lines 677 ff): <quote> Both the requestor and the issuer can specify a scope for the issued token using the <wsp:AppliesTo> element. </quote> wsp:AppliesTo can be used to carry wsa:EndpointReference elements which contain endpoint URLs. - Authorized Token Participants, Section 9.5 (lines 1969 ff): <quote> This parameter is typically used when there are additional parties using the token or if the requestor needs to clarify the actual parties involved (for some profile-specific reason). </quote> wst:ParticipantType can contain an arbitrary structure according to the ws-trust XSD. From the quotes above, my guess is that WS-SC should refer to the Authorized Token Participants extension element for the RST and should give an example or enhance the existing SCT Request Example (section 3.2, lines 323 ff) in section 3.3 of the WS-SC spec. Related issues: Proposed Resolution:
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]