Re: [ekmi] Groups - SKSML-DRAFT7 Specification, XSD and sample instances(ZIP) (sksml-draft7.zip) uploaded

[Arshad Noor <arshad.noor@strongauth.com>]

Maybe you need OO 3.0, Tomas.  I last edited the document using
3.0, so perhaps there is a bug that causes OO 2.4 to incorrectly
read TOCs.

I also realized that I forgot to address the more important comment
related to certificates.  My apologies.

The SKSML protocol does not specify which public-key to use to
encrypt symmetric-keys on the server or the clients, because that
is a site-implementation detail.

A site implementing an SKMS can make its own determination how it
wants to implement this part of the EKMI security.  Some sites may
want to choose a single transport certificate for all clients while
others may choose individual ones.  Some may choose to combine the
signing and encryption capabilities into the same certificate while
others may separate it.

I don't believe the messaging protocol should specify this.  However,
in the StrongKey implementation, we force the requirement that the
SKS server MUST have the encryption certificate in its database for
each authorized client before it will transport the symmetric key to
the requestor.  This enforces the security policy that the SKS server
only sends responses back to clients protected with a transport key
it already knows about.

Additionally, because all database records in the SKS database are
digitally signed, an attacker attempting to replace this certificate
directly in the DBMS, with one of their own, will fail to get the
symmetric key because the signature will fail on the object; only
the authorized Administrator through the console can modify objects
in the DB and recreate a new signature on the DB object using the
private key on the HSM on the server.

So, while the WSS header does have the certificate in it, I need to
review the WSS protocol to see if a site can dispense sending it
around for the transport key; it may still be necessary for the
signing certificate to be in the WSS header.

I hope that answers the  question.

Arshad

Tomas Gustavsson wrote:
> 
> Yes I am using OpenOffice 2.4 on Ubuntu 8.04. On page 44 the heading says:
> 2.1 Element <KeyClasses> and <KeyClass>
> according to the TOC it should be 4.3 and on page 42.
> 
> If I update the TOC it changes...
> 
> The PDF is correct though, so I don't know what secret sauce OpenOffice 
> is drinking...
> 
> /Tomas
> 
> Arshad Noor wrote:
>> Thanks for your comments, Tomas and for catching the errors.
>>
>> I'm not sure how you're seeing section numbers 1.3, 1.8, etc.
>> since these examples are in Chapter 3.  Additionally, section
>> 4.5 is there; on page 44 as the TOC says so.
>>
>> Are you using OpenOffice 2.4 or 3.0 to see the editable version?
>> Even the PDF looks correct to me in Acrobat Reader 8.1.2 (Linux).
>>
>> Arshad
>>
>> P.S. Everybody probably got the e-mail about the update I made
>> to DRAFT7, but if not, here it is again:
>>
>> http://www.oasis-open.org/committees/document.php?document_id=29997
>>
>>
>> Tomas Gustavsson wrote:
>>>
>>> Hi Arshad, I have a few very small comments.
>>>
>>> First a few editorial comments:
>>> -----
>>> 1.3
>>> Strange sentence:
>>> The client application (linked to the call SKCL) will an API method 
>>> within the SKCL for the appropriate symmetric key.
>>> ->
>>> The client application (that has been linked to the SKCL) will call 
>>> an API method within the SKCL for the appropriate symmetric key.
>>>
>>> Chapters:
>>> 1.8 Response with multiple new symmetric keys
>>> 1.1 Response with an SKS error ??
>>>
>>> Actually chapter numbering is completely off, I was trying to find 
>>> "4.5 Element <SymKeyResponse"" from the table of contents, but it is 
>>> not to be found.
>>>
>>> 1.1 Response with a pending Request ID
>>> Sentence cut:
>>> "Alternatively, when the"
>>> -----
>>>
>>> And last a small comment, I followed your discussion with Anders 
>>> Rundgren and it's kind of related.
>>> -----
>>> There is no specification which public key is used to encrypt the 
>>> symmetric key returned in the <SymKey> type. Is it the "ValueType 
>>> attribute containing the value 
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3."; 
>>> from the <SymKeyRequest>?
>>>
>>> This puts some limitations on this certificate, i.e. KeyUsage 
>>> digitalSignature, keyEncipherment, but these limitations I understand 
>>> is part of the profile as you have explained to Anders, which is fine 
>>> with me.
>>>
>>> Some words of specifying with what you encrypt the SymKey is needed I 
>>> think.
>>> -----
>>>
>>> Regards,
>>> Tomas
>>>
>>> arshad.noor@strongauth.com wrote:
>>>> Hi folks,
>>>>
>>>> My apologies for taking some time to finish this, but there were far 
>>>> more
>>>> ripple effects with the inclusion of support for asynchronous 
>>>> messaging and
>>>> the Standard Error Codes.  However, the Public Review 02 
>>>> Specification is
>>>> complete.
>>>>
>>>> Here is a synopsis of the changes:
>>>>
>>>> This version includes the following changes:
>>>>
>>>> 01) Created the SymkeyWorkInProgressType to support asynchronous 
>>>> requests
>>>>     and responses between SKCLs and SKS servers.  While the SKSML 
>>>> request
>>>>
>>>>     will still be enclosed in a SOAP element with a digital 
>>>> signature, the
>>>>
>>>>     request may now be sent over other protocols besides HTTP (such 
>>>> as     SMTP).
>>>>         02) Created a SymkeyRequestID element and 
>>>> SymkeyRequestIDType to allow
>>>> the
>>>>     client and server to track an asynchronous request and response.
>>>>         03) Created the RequestCheckIntervalType to allows the SKS 
>>>> server to tell
>>>>     clients how frequently they may poll a server on a 
>>>> work-in-progress     request.
>>>>         04) Modified SymkeyType to include the SymkeyRequestID 
>>>> element to
>>>> correlate
>>>>     symkey responses with requests on the client side.
>>>>     05) Modified SymekyError to include the SymkeyRequestID element 
>>>> to     correlate errors with requests on the client side.
>>>>
>>>> 06) Added SKMS Standard Error Codes & Messages in Appendix C.
>>>>
>>>> 07) Added the Vendor Process for requesting a reserved block of SKMS 
>>>> Error
>>>> Codes in Appendix D.
>>>>
>>>> Please review these changes.  I am submitting a ballot for the TC to 
>>>> submit
>>>> this for Public Review.  We are required to do this for 15 days 
>>>> given that
>>>> we have made changes to the protocol.  The TC will have approximately 3
>>>> weeks (1 week for ballot + 2 weeks for PR2) to get comments back on 
>>>> these
>>>> changes.  However, I would encourage you to submit feedback as early as
>>>> possible.
>>>>
>>>> Once we are complete with PR2 and have addressed any comments at 
>>>> that time,
>>>> we will be at the penultimate step of the standards vote.
>>>>
>>>> Thanks for your patience.
>>>>
>>>>  -- Arshad Noor*
>>>>
>>>> The document named SKSML-DRAFT7 Specification, XSD and sample instances
>>>> (ZIP)  (sksml-draft7.zip) has been submitted by Arshad Noor* to the 
>>>> OASIS
>>>> Enterprise Key Management Infrastructure (EKMI) Technical Committee
>>>> document repository.
>>>>
>>>> Document Description:
>>>> DRAFT 7 of the SKSML 1.0 Specification (Public Review 02), the EKMI XML
>>>> Schema Definition and sample schema instances.
>>>>
>>>> View Document Details:
>>>> http://www.oasis-open.org/committees/document.php?document_id=29914
>>>>
>>>> Download Document:  
>>>> http://www.oasis-open.org/committees/download.php/29914/sksml-draft7.zip 
>>>>
>>>>
>>>>
>>>> PLEASE NOTE:  If the above links do not work for you, your email 
>>>> application
>>>> may be breaking the link into two pieces.  You may be able to copy 
>>>> and paste
>>>> the entire link address into the address field of your web browser.
>>>>
>>>> -OASIS Open Administration