[
Lists Home |
Date Index |
Thread Index
]
<Quote1>
According to the WS-Trust spec, "a web service can require that an
incoming message prove a set of claims." These claims are not limited
merely to identity, but can include the user's principal (or security
context)
</Quote1>
Can you take this one step further and explain how this would apply to
the presented scenario? In other words, how would the identity of SYSTEM
A be brought into the picture (allowing SYSTEM A to really be considered
a "user")? And how does it relate to the possibility of more granular
security at (for example) the WSDL Operation level?
<Quote2>
What is different in your scenario from what the WS-Trust spec calls
"brokered trust"?
</Quote2>
Brokered trust involves a third party (whether it is direct brokered
trust or indirect brokered trust). The presented scenario would not
utilize a third party.
Kind Regards,
Joe Chiusano
Booz | Allen | Hamilton
"Cavnar-Johnson, John" wrote:
>
>
>
> >
> > -----Original Message-----
> > From: Chiusano Joseph [mailto:chiusano_joseph@bah.com]
> > Sent: Wednesday, May 07, 2003 10:31 AM
> > To: Cavnar-Johnson, John
> > Cc: xml-dev@lists.xml.org
> >
> > Thanks John. I am actually very familiar with the WS-Trust
> > specification [1] (only mentioning my article so you can
> > understand my background).
> > WS-Trust involves parties exchanging security credentials
> > that are based on existing mechanisms (X.509 cert, SAML
> > assertion, Kerberos ticket, XrML license, etc.). All of these
> > mechanisms are based on "single-component" claims - that is,
> > a single user, a single resource, etc. The concepts I am
> > presenting are based on "multiple-component"
> > claims - that is, involving a user *and* a resource (such as
> > a Web service), or even more finely grained such as a user
> > and a resource and an Operation (in WSDL sense) on that resource.
>
> I guess I don't understand your scenario. According to the WS-Trust spec,
> "a web service can require that an incoming message prove a set of claims."
> These claims are not limited merely to identity, but can include the user's
> principal (or security context). I thought that clearly encompassed your
> scenario (i.e. you can require me to prove my identity and that I have
> successfully executed a particular operation on a resource. What is
> different in your scenario from what the WS-Trust spec calls "brokered
> trust"?
>
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
>
> The list archives are at http://lists.xml.org/archives/xml-dev/
>
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://lists.xml.org/ob/adm.pl>
begin:vcard
n:Chiusano;Joseph
tel;work:(703) 902-6923
x-mozilla-html:FALSE
url:www.bah.com
org:Booz | Allen | Hamilton;IT Digital Strategies Team
adr:;;8283 Greensboro Drive;McLean;VA;22012;
version:2.1
email;internet:chiusano_joseph@bah.com
title:Senior Consultant
fn:Joseph M. Chiusano
end:vcard
|