OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ekmi message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [ekmi] Groups - SKSML-DRAFT7 Specification, XSD and sample instances(ZIP) (sksml-draft7.zip) uploaded

Hi Upendra,

Welcome to the EKMI TC. I hope you don't mind my copying the TC on this
response, since the answer will benefit everyone.

The SKSML protocol focuses on only authentication, message integrity
and confidentiality - all of which, as you pointed out, are provided by
the WSS layer in SOAP.

The authorization is a separate function of the SKS server, and can be
implemented by the protocol implementers either through local access
control policies or through XACML calls to an XACML engine, either on
the same or another machine.

In the open-source implementation, StrongKey, the authorization rules
are local access-control rules.  It uses a combination of the client's
certificate DN from the WSS header of the request (every SKMS client
must have an X509 digital certificate) to participate in the protocol),
group-memberships that the client DN belongs to, and the KeyUsePolicy
which applies to the client, the group, or by default to the entire 
SKMS, to determine its authorizations in the SKMS.  Steps 7 & 8 in the
following document does this function:

http://www.strongkey.org/index.php?option=com_content&task=view&id=88&Itemid=35

However, once the server sends the key to the client, the object also
includes a KeyUsePolicy which MUST be enforced by the Symmetric Key
Client Library (SKCL).  This is the only way that a site knows that its
key-management policies are being adhered to on the, potentially
disconnected, client-device.

Auditors will have to verify that the SKCL library deployed on clients
is the same one authorized by the Security Office of the SKMS site.
Message-digest comparison checks on a sufficient sampling of randomly
selected client devices will tell the auditors if the site has control
over its SKMS and policy-enforcement; this is no different from standard
financial accounting practices, BTW.

I hope that answers your question.

Arshad

Mardikar, Upendra wrote:
> Hi Arshad
> Just skimmed over the doc (for the first time). I didn't see in the doc, authorization aspect of it.
> e.g. skcl sends request for symm key. It signs request using WS-Security. But is the plan to not get into authorization?
> e.g. how is the authorization granted when a particular client device is allowed to have symm key?
> Regards
> Upendra
> 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]