[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx] Issue 101: Need additional SamlToken Assertion Elementsfor Holder-of-Key and Sender-Vouches
As I mentioned on the call, I think that Holder-Of-Key is indicated by virtue of the SAML token being used as token that requires proof of key knowledge, for example, [Protection Token], [Endorsing Supporting Tokens], [Signed Endorsing Supporting Tokens]. Similarly, I think Sender-Vouches is indicated by virtue of the SAML token being used as a token that requires signing, for example, [Signed Supporting Tokens] Gudge > -----Original Message----- > From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com] > Sent: 10 August 2006 23:25 > To: Marc Goodner > Cc: Frederick Hirsch; Rich Levinson; ws-sx@lists.oasis-open.org > Subject: Re: [ws-sx] Issue 101: Need additional SamlToken > Assertion Elements for Holder-of-Key and Sender-Vouches > > +1 on adopting one of Rich's proposals (TC to determine which) > > This was one of the issues I noted with regard to the Interop > document when attempting to craft policy statements for the interop > scenarios: > > "- how to state confirmation method requirement in policy (e.g. HoK > for SAML tokens)" > > See > <http://www.oasis-open.org/apps/org/workgroup/ws-sx/email/archives/ > 200607/msg00068.html> > > > regards, Frederick > > Frederick Hirsch > Nokia > > > On Aug 9, 2006, at 9:38 AM, ext Marc Goodner wrote: > > > Issue 101. > > > > -----Original Message----- > > From: Rich Levinson [mailto:rich.levinson@oracle.com] > > Sent: Tuesday, August 08, 2006 6:25 PM > > To: ws-sx@lists.oasis-open.org; Marc Goodner > > Subject: NEW Issue: Need additional SamlToken Assertion Elements for > > Holder-of-Key and Sender-Vouches > > > > PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSION THREAD > > UNTIL THE > > ISSUE IS ASSIGNED A NUMBER. > > The issues coordinators will notify the list when that has occurred. > > > > Protocol: ws-sp > > > > > > http://www.oasis-open.org/committees/download.php/18837/ws- > > securitypolic > > y-1.2-spec-ed-01-r07.pdf > > > > Artifact: spec > > > > Type: design > > > > Title: > > > > Need additional SamlToken Assertion Elements for > Holder-of-Key and > > Sender-Vouches > > > > Description: > > > > Comparable to the level of granularity defined for UsernameToken > > Assertions (lines 854-861 (NoPassword, HashPassword)) > > and X509Token Assertions (lines 1004-1024 several token > > types), the > > SamlToken Assertion needs token types of > > sender-vouches and holder-of-key defined. As in the Username and > > X509 token cases, the WS 1.0 and WS 1.1 > > Saml Token profiles identify these token types as explicit use > > cases > > that the profile supports. > > > > > > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0.pdf > > see line 495 > > > > > > http://www.oasis-open.org/committees/download.php/16768/wss-v1.1- > > spec-os > > -SAMLTokenProfile.pdf > > see line 672 > > > > Related issues: None > > > > Proposed Resolution: > > > > Add the following lines after line 1322 in section 5.3.8: > > > > /sp:SamlToken/wsp:Policy/sp:WssSamlHolderOfKey > > This optional element identifies that a SAML holder-of-key > > token should be used as > > defined in [WSS: SAML Token Profile 1.0, 1.1]. > > > > /sp:SamlToken/wsp:Policy/sp:WssSamlSenderVouches > > This optional element identifies that a SAML > sender-vouches > > token should be used as > > defined in [WSS: SAML Token Profile 1.0, 1.1]. > > > > The above proposal would require 2 elements to fully define the > > required token. An alternative > > approach would be to explicitly define the 2 tokens for all 3 > > supported versions as follows: > > > > /sp:SamlToken/wsp:Policy/sp:WssSamlV11Token10HolderOfKey > > This optional element identifies that a SAML Version 1.1 > > holder-of-key token should be used as > > defined in [WSS: SAML Token Profile 1.0]. > > > > /sp:SamlToken/wsp:Policy/sp:WssSamlV11Token10SenderVouches > > This optional element identifies that a SAML Version 1.1 > > sender-vouches token should be used as > > defined in [WSS: SAML Token Profile 1.0]. > > > > /sp:SamlToken/wsp:Policy/sp:WssSamlV11Token11HolderOfKey > > This optional element identifies that a SAML Version 1.1 > > holder-of-key token should be used as > > defined in [WSS: SAML Token Profile 1.1]. > > > > /sp:SamlToken/wsp:Policy/sp:WssSamlV11Token11SenderVouches > > This optional element identifies that a SAML Version 1.1 > > sender-vouches token should be used as > > defined in [WSS: SAML Token Profile 1.1]. > > > > /sp:SamlToken/wsp:Policy/sp:WssSamlV20Token11HolderOfKey > > This optional element identifies that a SAML Version 2.0 > > holder-of-key token should be used as > > defined in [WSS: SAML Token Profile 1.1]. > > > > /sp:SamlToken/wsp:Policy/sp:WssSamlV20Token11SenderVouches > > This optional element identifies that a SAML Version 2.0 > > sender-vouches token should be used as > > defined in [WSS: SAML Token Profile 1.1]. > > > > > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]