Cart
[Home] [By Thread] [By Date] [Recent Entries]
<Quote1> According to the WS-Trust spec, "a web service can require that an incoming message prove a set of claims." These claims are not limited merely to identity, but can include the user's principal (or security context) </Quote1> Can you take this one step further and explain how this would apply to the presented scenario? In other words, how would the identity of SYSTEM A be brought into the picture (allowing SYSTEM A to really be considered a "user")? And how does it relate to the possibility of more granular security at (for example) the WSDL Operation level? <Quote2> What is different in your scenario from what the WS-Trust spec calls "brokered trust"? </Quote2> Brokered trust involves a third party (whether it is direct brokered trust or indirect brokered trust). The presented scenario would not utilize a third party. Kind Regards, Joe Chiusano Booz | Allen | Hamilton "Cavnar-Johnson, John" wrote: > > > > > > > -----Original Message----- > > From: Chiusano Joseph [mailto:chiusano_joseph@b...] > > Sent: Wednesday, May 07, 2003 10:31 AM > > To: Cavnar-Johnson, John > > Cc: xml-dev@l... > > > > Thanks John. I am actually very familiar with the WS-Trust > > specification [1] (only mentioning my article so you can > > understand my background). > > WS-Trust involves parties exchanging security credentials > > that are based on existing mechanisms (X.509 cert, SAML > > assertion, Kerberos ticket, XrML license, etc.). All of these > > mechanisms are based on "single-component" claims - that is, > > a single user, a single resource, etc. The concepts I am > > presenting are based on "multiple-component" > > claims - that is, involving a user *and* a resource (such as > > a Web service), or even more finely grained such as a user > > and a resource and an Operation (in WSDL sense) on that resource. > > I guess I don't understand your scenario. According to the WS-Trust spec, > "a web service can require that an incoming message prove a set of claims." > These claims are not limited merely to identity, but can include the user's > principal (or security context). I thought that clearly encompassed your > scenario (i.e. you can require me to prove my identity and that I have > successfully executed a particular operation on a resource. What is > different in your scenario from what the WS-Trust spec calls "brokered > trust"? > > ----------------------------------------------------------------- > The xml-dev list is sponsored by XML.org <http://www.xml.org>, an > initiative of OASIS <http://www.oasis-open.org> > > The list archives are at http://lists.xml.org/archives/xml-dev/ > > To subscribe or unsubscribe from this list use the subscription > manager: <http://lists.xml.org/ob/adm.pl> begin:vcard n:Chiusano;Joseph tel;work:(703) 902-6923 x-mozilla-html:FALSE url:www.bah.com org:Booz | Allen | Hamilton;IT Digital Strategies Team adr:;;8283 Greensboro Drive;McLean;VA;22012; version:2.1 email;internet:chiusano_joseph@b... title:Senior Consultant fn:Joseph M. Chiusano end:vcard
|
