New Issue: RMS and RMD should not both use same STR when sending

[Doug Bunting <Doug.Bunting@sun.com>]

[resend since email servers are working now]

*Title*
RMS and RMD should not both use same STR when sending

*Description*
The current WD[1] describes a single STR for use in both directions.
However, two systems should never share private keys or other asymmetric
security claims.  Such sharing is unfortunately necessary for both to
demonstrate proof of possession of the same tokens.

When the WS-RM protocol and a request / response MEP are used together
for example, the WSS[2] implementation at the recipient verifies claims
(tokens) but does not use the same claims to secure the response.

*Justification*
Use of same STR for offered Sequence weakens the security of the WSS /
WS-RM solution.  The current approach also introduces a special case for
offered Sequences where the two directions are otherwise closely aligned.

*Target*
core

*Type*
technical

*Proposal*

    * Remove the clause "(and, if present, the offered)" where it
      appears (twice) in lines 1270-1271.
    * Duplicate lines 1266-1308, with appropriate (request -> response,
      created -> offered) substitutions, to allow inclusion of an
      <wsse:SecurityTokenReference> and <wsrm:UsesSequenceSTR> in the
      Create Sequence Response message.

The addition above could introduce fault cases I (at least) don't know
how to handle: How to handle mustUnderstand faults a SOAP response
causes?  May be best to limit use of an STR in the Create Sequence
Response to those where the Request message included a
<wsrm:UsesSequenceSTR>.  Not sure if the <wsrm:UsesSequenceSTR> element
would then be needed in the Create Sequence Response.

*References*
[1] Latest WS-RM WD
<http://www.oasis-open.org/committees/download.php/19430/wsrm-1.1-spec-wd-15.pdf>

[2] WSS 1.1 core OS
<http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf>