[
Lists Home |
Date Index |
Thread Index
]
>
> -----Original Message-----
> From: Chiusano Joseph [mailto:chiusano_joseph@bah.com]
> Sent: Wednesday, May 07, 2003 10:31 AM
> To: Cavnar-Johnson, John
> Cc: xml-dev@lists.xml.org
>
> Thanks John. I am actually very familiar with the WS-Trust
> specification [1] (only mentioning my article so you can
> understand my background).
> WS-Trust involves parties exchanging security credentials
> that are based on existing mechanisms (X.509 cert, SAML
> assertion, Kerberos ticket, XrML license, etc.). All of these
> mechanisms are based on "single-component" claims - that is,
> a single user, a single resource, etc. The concepts I am
> presenting are based on "multiple-component"
> claims - that is, involving a user *and* a resource (such as
> a Web service), or even more finely grained such as a user
> and a resource and an Operation (in WSDL sense) on that resource.
I guess I don't understand your scenario. According to the WS-Trust spec,
"a web service can require that an incoming message prove a set of claims."
These claims are not limited merely to identity, but can include the user's
principal (or security context). I thought that clearly encompassed your
scenario (i.e. you can require me to prove my identity and that I have
successfully executed a particular operation on a resource. What is
different in your scenario from what the WS-Trust spec calls "brokered
trust"?
|