[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Issue 161: Add <sp:RequireAsync /> into sp:Trust13 assertion
Regarding to this
issue, in yesterday’s TC meeting minutes it has the question of when is it async vs. synch, to determine using policy what
about using the WSDL? Is that not acceptable for some reason? Answer: As it is stated in the
current spec, all assertions within <sp:Trust13> assertion are related to
exchanges based on WS-Trust, specifically with client and server behaviors that
relate to interactions with a Security Token Service (STS). Whether the token
exchange calls should be sync or async, this is the same category. It deal with
how a client and STS server interaction behavior, and fits well into the scope
of <sp:Trust13> assertion. Further more, the proposed new
<sp:RequireAsync /> assertion is also defines how security should be
handled during the token exchange under WS-Trust, as sync or async token
exchange has different implication to the security, as well as to the
interoperability. This is a security property and has to be a user preference
item for user to define, just like whether to use client or server side entropy
is a user preference. Why should we use WSDL
to determine client and STS server interaction and security behavior? The WSDL
should base on the policy to generate accordingly. There is no other example in
this spec using WSDL to determine a security behavior, or user preference.
Today, all the security behavior for the SOAP message are driven by the
security policy, nothing is driven by WSDL or other protocol’s policy.
This async vs sync security behavior in trust token exchange should do the
same. Symon Chang BEA Systems From: Marc Goodner
[mailto:mgoodner@microsoft.com] Issue 161 From: Symon Chang
[mailto:sychang@bea.com] PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER. The issues coordinators will notify the list when that has occurred.
Protocol: ws-sp
http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/24534/ws-securitypolicy-1.2-spec-os.pdf
Artifact: policy
Type: design
Title: Add <sp:RequireAsync /> into sp:Trust13 assertion
In the WS-SecureConversation, when use WS-Trust to establish the connection, the current WS-SecurityPolicy does not define how the WS-Trust communication between the STS and the requester should be done. While the default is in synchronous mode, the WS-Trust spec does allow using synchronous mode to exchange the token.
By adding sp:RequireAsync into existing sp:Trust13 assertion, can make the use of asynchronous or synchronous mode become policy driven.
It is proposed to change the syntax of sp:Trust13 with one more element after line 2691:
<sp: RequireAsync />?
With the following text for the description:
“/sp:Trust13/wsp:Policy/sp:RequireAsync
This optional element is a policy assertion that indicates that the STS request
and response should use a synchronous mode. When this
assertion is missing, the default behavior is synchronous mode.”
Symon Chang BEA Systems
Notice: This email message, together with any attachments, may contain information of BEA Systems, Inc., its subsidiaries and affiliated entities, that may be confidential, proprietary, copyrighted and/or legally privileged, and is intended solely for the use of the individual or entity named in this message. If you are not the intended recipient, and have received this message in error, please immediately return this by email and then delete it. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]