OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-rx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [NEW ISSUE] Scoping an RM sequence to a security context

Title: Scoping an RM sequence to a security context       

 

Description/Justification:

There are several threats, hijacking [1] and signature replacement [2], that can best be mitigated by binding the RM sequence to a specific security context identified by a token. For the sake of interoperability it is best that this capability be defined in the protocol rather than be left to a implementation detail for implementers and/or users of the protocol. Likewise it should be possible for an RMD to represent that it does or does not support this capability.

 

Target: core

 

Type: design

 

Proposal:

WS-RM Changes

Line numbers from WS-RM CD 02

 

Add “An RM Destination MUST fault if it does not understand information passed using this extensibility mechanism.” to the end of lines 297 and 300.

 

The above would mean prevent an RMD from silently ignoring use of the extensibility points in the create sequence and would read in the spec as follows:

/wsrm:CreateSequence/{any}

This is an extensibility mechanism to allow different (extensible) types of information, based on a schema, to be passed. An RM Destination MUST fault if it does not understand information passed using this extensibility mechanism.

/wsrm:CreateSequence/@{any}

This is an extensibility mechanism to allow additional attributes, based on schemas, to be added to the element. An RM Destination MUST fault if it does not understand information passed using this extensibility mechanism.

 

Add the following after line 300:

/wsrm:CreateSequence/wsse:SecurityTokenReference

This optional element uses the extensibility mechanism defined above to communicate an explicit reference to the security token to be used to authorize messages for the created outbound Sequence and if offered the inbound Sequence, using a <wsse:SecurityTokenReference> as documented in WS-Security [WSSecurity]. All subsequent messages in the outbound Sequence and if offered the inbound Sequence MUST demonstrate proof-of-possession of the referenced key.

 

WS-RM Policy Changes

Line numbers from WS-RM Policy CD 02

 

Line 96

Change: “defines a single RM policy assertion”

To: “defines two RM policy assertions”

 

Add a new assertion description as follows after line 116:

WS-SecurityPolicy [WS-SecurityPolicy] provides a framework and grammar for expressing the security requirements and characteristics of entities in a XML web services based system. The Secure Sequence Binding assertion allows the expression of additional security requirements particular to RM sequences to be used in conjunction with WS-SecurityPolicy. Specifically it defines that an RM sequence MUST be bound to an explicit token.

 

The RM Security assertion MUST NOT be used for an endpoint that does not also use the RM assertion.

 

Add the following after line 141:

The normative outline for the Secure Sequence Binding Assertion is:

<wsrmp:SecureSequenceBinding

[wsp:Optional="true"]? ... >

</wsrmp:SecureSequenceBinding >

 

/wsrmp:SecureSequenceBinding

A policy assertion that specifies security requirements which MUST be used with an RM Sequence that are particular to WS-RM and beyond what can be expressed in WS-SecurityPolicy.

 

/wsrm:SecureSequenceBinding /@wsp:Optional="true"

Per WS-Policy [WS-Policy], this is compact notation for two policy alternatives, one with and one without the assertion. The intuition is that the behavior indicated by the assertion is optional, or in this case, that the RM Sequence binding to a specific token MAY be used.

 

Line 143

Change: “Because the RM policy assertion indicates endpoint behavior over an RM Sequence, the assertion has”

To: “Because the RM policy assertions indicate endpoint behavior over an RM Sequence, the assertions have”

 

Assertion example and schema outline TBD

 

 

Reference:

1 hijacking threat http://lists.oasis-open.org/archives/ws-rx/200602/msg00037.html

2 signature replacement threat http://lists.oasis-open.org/archives/ws-rx/200602/msg00038.html

 

Marc Goodner

Technical Diplomat

Microsoft Corporation

Tel: (425) 703-1903

Blog: http://spaces.msn.com/mrgoodner/

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]