You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by "Narayan Singh Dhillon (JIRA)" <ji...@apache.org> on 2008/02/29 00:05:52 UTC
[jira] Created: (RAMPART-144) Timestamp with just create time
element
Timestamp with just create time element
---------------------------------------
Key: RAMPART-144
URL: https://issues.apache.org/jira/browse/RAMPART-144
Project: Rampart
Issue Type: Bug
Components: rampart-core
Affects Versions: 1.3
Reporter: Narayan Singh Dhillon
Assignee: Ruchith Udayanga Fernando
If we want to just have "wsu:Created" element inside "wsu:Timestamp" then Rampart doesn't allow it.
WS-Security policy doesn't seem to define any policy semantics for above, but this element is optional and often not used in practical scenarios because of clock differences, but it is considered best practice to have time stamp included in XMLdSig.
I think as Created and Expires elements are not controlled by WS-Policy, we could adopt for the flexible solutions as below:
(1) In client side, if timestampTTL element in rampart-config is set to 0, then wsu:expires element must not be created.
(2) On Server side, Timestamp should be validated for full, that is if Created and Expires element are present then they should be validated otherwise just created time be validated. I think this is current behaviour.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (RAMPART-144) Timestamp with just create time
element
Posted by "George Stanchev (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573854#action_12573854 ]
George Stanchev commented on RAMPART-144:
-----------------------------------------
It does not. It means that the message is valid this millisecond only. If Expires < Created, then would've meant the timestamp has expired right away. Both of those are legitimate use cases, permitted by the standards. I, personally, have encountered legitimate use case for created<expires. If you want to be flexible, you need to allow all permitted values.
> Timestamp with just create time element
> ---------------------------------------
>
> Key: RAMPART-144
> URL: https://issues.apache.org/jira/browse/RAMPART-144
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.3
> Reporter: Narayan Singh Dhillon
> Assignee: Ruchith Udayanga Fernando
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> If we want to just have "wsu:Created" element inside "wsu:Timestamp" then Rampart doesn't allow it.
> WS-Security policy doesn't seem to define any policy semantics for above, but this element is optional and often not used in practical scenarios because of clock differences, but it is considered best practice to have time stamp included in XMLdSig.
> I think as Created and Expires elements are not controlled by WS-Policy, we could adopt for the flexible solutions as below:
> (1) In client side, if timestampTTL element in rampart-config is set to 0, then wsu:expires element must not be created.
> (2) On Server side, Timestamp should be validated for full, that is if Created and Expires element are present then they should be validated otherwise just created time be validated. I think this is current behaviour.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (RAMPART-144) Timestamp with just create time
element
Posted by "Narayan S Dhillon (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12574936#action_12574936 ]
Narayan S Dhillon commented on RAMPART-144:
-------------------------------------------
So the usecases I could see now are -
(1) Timestamp with created and expires time including both are equal.
(2) Timestamp with just created time
That means we would need to use another configuration parameter -
timestampExcludeExpiryTime, if that element is present then it means expiry time wont be created.
> Timestamp with just create time element
> ---------------------------------------
>
> Key: RAMPART-144
> URL: https://issues.apache.org/jira/browse/RAMPART-144
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.3
> Reporter: Narayan Singh Dhillon
> Assignee: Ruchith Udayanga Fernando
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> If we want to just have "wsu:Created" element inside "wsu:Timestamp" then Rampart doesn't allow it.
> WS-Security policy doesn't seem to define any policy semantics for above, but this element is optional and often not used in practical scenarios because of clock differences, but it is considered best practice to have time stamp included in XMLdSig.
> I think as Created and Expires elements are not controlled by WS-Policy, we could adopt for the flexible solutions as below:
> (1) In client side, if timestampTTL element in rampart-config is set to 0, then wsu:expires element must not be created.
> (2) On Server side, Timestamp should be validated for full, that is if Created and Expires element are present then they should be validated otherwise just created time be validated. I think this is current behaviour.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (RAMPART-144) Timestamp with just create time
element
Posted by "George Stanchev (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573515#action_12573515 ]
George Stanchev commented on RAMPART-144:
-----------------------------------------
If (1) is adopted how does one create a Timestamp element that contains Created and Expires elements with the same value. I can foresee SP implementations that balk at Timestamp with Expires only and require both Created and Expires to be present. I think Rampart should be able to generate both Timestamps with Create-only and with Create==Expires.
> Timestamp with just create time element
> ---------------------------------------
>
> Key: RAMPART-144
> URL: https://issues.apache.org/jira/browse/RAMPART-144
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.3
> Reporter: Narayan Singh Dhillon
> Assignee: Ruchith Udayanga Fernando
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> If we want to just have "wsu:Created" element inside "wsu:Timestamp" then Rampart doesn't allow it.
> WS-Security policy doesn't seem to define any policy semantics for above, but this element is optional and often not used in practical scenarios because of clock differences, but it is considered best practice to have time stamp included in XMLdSig.
> I think as Created and Expires elements are not controlled by WS-Policy, we could adopt for the flexible solutions as below:
> (1) In client side, if timestampTTL element in rampart-config is set to 0, then wsu:expires element must not be created.
> (2) On Server side, Timestamp should be validated for full, that is if Created and Expires element are present then they should be validated otherwise just created time be validated. I think this is current behaviour.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (RAMPART-144) Timestamp with just
create time element
Posted by "George Stanchev (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573854#action_12573854 ]
gstanchev edited comment on RAMPART-144 at 2/29/08 9:30 AM:
------------------------------------------------------------------
It does not. It means that the message is valid this millisecond only. If Expires < Created, then would've meant the timestamp has expired right away. Both of those are legitimate use cases, permitted by the standards. I, personally, have encountered legitimate use case for Expires < Created. If you want to be flexible, you need to allow all permitted values.
was (Author: gstanchev):
It does not. It means that the message is valid this millisecond only. If Expires < Created, then would've meant the timestamp has expired right away. Both of those are legitimate use cases, permitted by the standards. I, personally, have encountered legitimate use case for created<expires. If you want to be flexible, you need to allow all permitted values.
> Timestamp with just create time element
> ---------------------------------------
>
> Key: RAMPART-144
> URL: https://issues.apache.org/jira/browse/RAMPART-144
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.3
> Reporter: Narayan Singh Dhillon
> Assignee: Ruchith Udayanga Fernando
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> If we want to just have "wsu:Created" element inside "wsu:Timestamp" then Rampart doesn't allow it.
> WS-Security policy doesn't seem to define any policy semantics for above, but this element is optional and often not used in practical scenarios because of clock differences, but it is considered best practice to have time stamp included in XMLdSig.
> I think as Created and Expires elements are not controlled by WS-Policy, we could adopt for the flexible solutions as below:
> (1) In client side, if timestampTTL element in rampart-config is set to 0, then wsu:expires element must not be created.
> (2) On Server side, Timestamp should be validated for full, that is if Created and Expires element are present then they should be validated otherwise just created time be validated. I think this is current behaviour.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (RAMPART-144) Timestamp with just create time
element
Posted by "Narayan S Dhillon (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573644#action_12573644 ]
Narayan S Dhillon commented on RAMPART-144:
-------------------------------------------
George, why would one have Created and Expires time set to same value? Doesn't it mean timestamp expires straight way..
> Timestamp with just create time element
> ---------------------------------------
>
> Key: RAMPART-144
> URL: https://issues.apache.org/jira/browse/RAMPART-144
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.3
> Reporter: Narayan Singh Dhillon
> Assignee: Ruchith Udayanga Fernando
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> If we want to just have "wsu:Created" element inside "wsu:Timestamp" then Rampart doesn't allow it.
> WS-Security policy doesn't seem to define any policy semantics for above, but this element is optional and often not used in practical scenarios because of clock differences, but it is considered best practice to have time stamp included in XMLdSig.
> I think as Created and Expires elements are not controlled by WS-Policy, we could adopt for the flexible solutions as below:
> (1) In client side, if timestampTTL element in rampart-config is set to 0, then wsu:expires element must not be created.
> (2) On Server side, Timestamp should be validated for full, that is if Created and Expires element are present then they should be validated otherwise just created time be validated. I think this is current behaviour.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (RAMPART-144) Timestamp with just create time
element
Posted by "Nandana Mihindukulasooriya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12574964#action_12574964 ]
Nandana Mihindukulasooriya commented on RAMPART-144:
----------------------------------------------------
I also agree with George. We will need to extend the Rampart Configuration for this as suggested. Another concern is interoperability. Rampart specific stuff will not be visible in the WSDL. So these information has to be transfered out of band. Does anyone know whether WCF allow to configure timestamps with only created element ? Anyway I think it is better to allow both use cases.
> Timestamp with just create time element
> ---------------------------------------
>
> Key: RAMPART-144
> URL: https://issues.apache.org/jira/browse/RAMPART-144
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.3
> Reporter: Narayan Singh Dhillon
> Assignee: Ruchith Udayanga Fernando
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> If we want to just have "wsu:Created" element inside "wsu:Timestamp" then Rampart doesn't allow it.
> WS-Security policy doesn't seem to define any policy semantics for above, but this element is optional and often not used in practical scenarios because of clock differences, but it is considered best practice to have time stamp included in XMLdSig.
> I think as Created and Expires elements are not controlled by WS-Policy, we could adopt for the flexible solutions as below:
> (1) In client side, if timestampTTL element in rampart-config is set to 0, then wsu:expires element must not be created.
> (2) On Server side, Timestamp should be validated for full, that is if Created and Expires element are present then they should be validated otherwise just created time be validated. I think this is current behaviour.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.