Cart
[Home] [By Thread] [By Date] [Recent Entries]
> > -----Original Message----- > From: Chiusano Joseph [mailto:chiusano_joseph@b...] > Sent: Wednesday, May 07, 2003 10:31 AM > To: Cavnar-Johnson, John > Cc: xml-dev@l... > > Thanks John. I am actually very familiar with the WS-Trust > specification [1] (only mentioning my article so you can > understand my background). > WS-Trust involves parties exchanging security credentials > that are based on existing mechanisms (X.509 cert, SAML > assertion, Kerberos ticket, XrML license, etc.). All of these > mechanisms are based on "single-component" claims - that is, > a single user, a single resource, etc. The concepts I am > presenting are based on "multiple-component" > claims - that is, involving a user *and* a resource (such as > a Web service), or even more finely grained such as a user > and a resource and an Operation (in WSDL sense) on that resource. I guess I don't understand your scenario. According to the WS-Trust spec, "a web service can require that an incoming message prove a set of claims." These claims are not limited merely to identity, but can include the user's principal (or security context). I thought that clearly encompassed your scenario (i.e. you can require me to prove my identity and that I have successfully executed a particular operation on a resource. What is different in your scenario from what the WS-Trust spec calls "brokered trust"?
|
