[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: NEW Issue: Missing assertions to indicate supported bindings forthe secure conversation STS
PLEASE
DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS
ASSIGNED A NUMBER. The
issues coordinators will notify the list when that has occurred. Protocol:
ws-securitypolicy Artifact: spec /
schema Type: design Title:
Missing
assertions to indicate supported bindings for the secure conversation STS Description: Currently
there is no way for a secure conversation STS to signal the client what
WS-Trust bindings it supports. This issue was encountered during the recent SP interop
testing where one of the participants STS didn’t except the SCT/Cancel
RST messages but the client from another participant was sending SCT/Cancel RST
messages to it. Currently it is necessary to exchange this information out of
band in order to enable interoperability. Because the all WS-Trust bindings
with the exception of Issue binding are optional it makes sense to add
assertions to the security policy for SCT based tokens to indicate what
bindings are supported for the issued SCT tokens. Related
issues: None. Proposed
Resolution: Add
the following to the section 5.3.5. after line 934: <sp:MustNotSendCancel
... /> ? <sp:MustNotSendAmend
... /> ? <sp:MustNotSendRenew
... /> ? Add
the following to the section 5.3.5 after line 959: /sp:SpnegoContextToken/wsp:Policy/sp:MustNotSendCancel This optional element is a policy assertion
that indicates that the STS issuing the SP/Nego token does not support
SCT/Cancel RST messages. If this assertion is missing it means that SCT/Cancel
RST messages are supported by the STS. /sp:SpnegoContextToken/wsp:Policy/sp:MustNotSendAmend This optional element is a policy assertion
that indicates that the STS issuing the SP/Nego token does not support
SCT/Amend RST messages. If this assertion is missing it means that SCT/Amend
RST messages are supported by the STS. /sp:SpnegoContextToken/wsp:Policy/sp:MustNotSendRenew This optional element is a policy assertion
that indicates that the STS issuing the SP/Nego token does not support
SCT/Renew RST messages. If this assertion is missing it means that SCT/Renew
RST messages are supported by the STS. Add
the following to the section 5.3.7 after line 1027: <sp:MustNotSendCancel
... /> ? <sp:MustNotSendAmend
... /> ? <sp:MustNotSendRenew
... /> ? Add
the following to the section 5.3.7 after line 1060: /sp:SecureConversationToken/wsp:Policy/sp:MustNotSendCancel This optional element is a policy assertion
that indicates that the STS issuing the secure conversation token does not
support SCT/Cancel RST messages. If this assertion is missing it means that
SCT/Cancel RST messages are supported by the STS. /sp:SecureConversationToken/wsp:Policy/sp:MustNotSendAmend This optional element is a policy assertion
that indicates that the STS issuing the secure conversation token does not
support SCT/Amend RST messages. If this assertion is missing it means that
SCT/Amend RST messages are supported by the STS. /sp:SecureConversationToken/wsp:Policy/sp:MustNotSendRenew This optional element is a policy assertion
that indicates that the STS issuing the secure conversation token does not
support SCT/Renew RST messages. If this assertion is missing it means that
SCT/Renew RST messages are supported by the STS. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]