- From: Yuquan Tracy Jiang \(jiangy\) <jiangy@cisco.com>
- Date: Mon, 23 Apr 2007 17:14:31 -0700
- To: <www-ws@w3.org>
- Message-ID: <43F339CB2F4C8E4DA0AC53BFA69B0DD5038E0EA7@xmb-sjc-226.amer.cisco.com>
I have a question regarding the TransportBinding assertion in the WS-SecurityPolicy (http://www.oasis-open.org/committees/download.php/15979/oasis-wssx-ws-s ecuritypolicy-1.0.pdf <http://www.oasis-open.org/committees/download.php/15979/oasis-wssx-ws-s ecuritypolicy-1.0.pdf> ). The spec defienes the TransportBinding Assertion (Section 7.3) to have the following format: <sp:TransportBinding ... > <wsp:Policy> <sp:TransportToken ... > <wsp:Policy> ... </wsp:Policy> .... </sp:TransportToken> <sp:AlgorithmSuite ... > ... </sp:AlgorithmSuite> <sp:Layout ... > ... </sp:Layout> ? <sp:IncludeTimestamp ... /> ? .... </wsp:Policy> .... </sp:TransportBinding> I am really confused by the meaning of the nested policies, including sp:AlgorithmSuite, sp:Layout, sp:IncludeTimestamp. Looks to me only the TransportToken is relavent to the transport level security, eg, https. When other nested policies are present together with HttpsToken, are they really relating to each other, or only the https token is related to tranport level security, and the rest of the nested policies, although included in the TransportBinding policy, are actually used to control message level security? The most confusing part is the AlgorithmSuite policy. When it is used together with HttpsToken in the TransportBinding policy, is it used to control the ciphersuites to be used in SSL negotiation? Or it has nothing to do with SSL negotiation and only used to control the XML crypto operations on the message level? Can someone share a right understanding on this? Thanks in advance! Tracy
Received on Tuesday, 24 April 2007 06:49:52 UTC