[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue PR011: Missing assertions to indicate supported bindings forthe secure conversation STS
Issue PR011 From: Jan Alexander
[mailto:janalex@microsoft.com] PLEASE
DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS
ASSIGNED A NUMBER. The
issues coordinators will notify the list when that has occurred. Protocol:
ws-securitypolicy Artifact: spec /
schema Type: design Title:
Missing
assertions to indicate supported bindings for the secure conversation STS Description: Currently
there is no way for a secure conversation STS to signal the client what
WS-Trust bindings it supports. This issue was encountered during the recent SP
interop testing where one of the participants STS didn’t except the
SCT/Cancel RST messages but the client from another participant was sending
SCT/Cancel RST messages to it. Currently it is necessary to exchange this
information out of band in order to enable interoperability. Because the all
WS-Trust bindings with the exception of Issue binding are optional it makes
sense to add assertions to the security policy for SCT based tokens to indicate
what bindings are supported for the issued SCT tokens. Related
issues: None. Proposed
Resolution: Add
the following to the section 5.3.5. after line 934: <sp:MustNotSendCancel
... /> ? <sp:MustNotSendAmend
... /> ? <sp:MustNotSendRenew
... /> ? Add
the following to the section 5.3.5 after line 959: /sp:SpnegoContextToken/wsp:Policy/sp:MustNotSendCancel This optional element is a policy assertion
that indicates that the STS issuing the SP/Nego token does not support
SCT/Cancel RST messages. If this assertion is missing it means that SCT/Cancel
RST messages are supported by the STS. /sp:SpnegoContextToken/wsp:Policy/sp:MustNotSendAmend This optional element is a policy assertion
that indicates that the STS issuing the SP/Nego token does not support
SCT/Amend RST messages. If this assertion is missing it means that SCT/Amend
RST messages are supported by the STS. /sp:SpnegoContextToken/wsp:Policy/sp:MustNotSendRenew This optional element is a policy assertion
that indicates that the STS issuing the SP/Nego token does not support
SCT/Renew RST messages. If this assertion is missing it means that SCT/Renew
RST messages are supported by the STS. Add
the following to the section 5.3.7 after line 1027: <sp:MustNotSendCancel
... /> ? <sp:MustNotSendAmend
... /> ? <sp:MustNotSendRenew
... /> ? Add
the following to the section 5.3.7 after line 1060: /sp:SecureConversationToken/wsp:Policy/sp:MustNotSendCancel This optional element is a policy assertion
that indicates that the STS issuing the secure conversation token does not
support SCT/Cancel RST messages. If this assertion is missing it means that
SCT/Cancel RST messages are supported by the STS. /sp:SecureConversationToken/wsp:Policy/sp:MustNotSendAmend This optional element is a policy assertion
that indicates that the STS issuing the secure conversation token does not
support SCT/Amend RST messages. If this assertion is missing it means that SCT/Amend
RST messages are supported by the STS. /sp:SecureConversationToken/wsp:Policy/sp:MustNotSendRenew This optional element is a policy assertion
that indicates that the STS issuing the secure conversation token does not
support SCT/Renew RST messages. If this assertion is missing it means that
SCT/Renew RST messages are supported by the STS. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]