OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [ws-sx] Issue 24: [Protection Order] Property using same source for keys

Comments inline.

Cheers

Gudge 

> -----Original Message-----
> From: Marc Goodner [mailto:mgoodner@microsoft.com] 
> Sent: 09 February 2006 20:28
> To: Dittmann, Werner; ws-sx@lists.oasis-open.org
> Subject: [ws-sx] Issue 24: [Protection Order] Property using 
> same source for keys
> 
> This is now logged as issue 24.
> 
> Marc Goodner
> Technical Diplomat
> Microsoft Corporation
> Tel: (425) 703-1903
> Blog: http://spaces.msn.com/mrgoodner/ 
> 
> 
> -----Original Message-----
> From: Dittmann, Werner [mailto:werner.dittmann@siemens.com] 
> Sent: Thursday, February 09, 2006 12:04 AM
> To: ws-sx@lists.oasis-open.org
> Cc: Marc Goodner
> Subject: [ws-sx] [Protection Order] Property using same 
> source for keys
> 
> PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL
> THE ISSUE IS ASSIGNED A NUMBER.
> 
> The issues coordinators will notify the list when that has occurred.
> 
> Protocol:  ws-sp
> ws-securitypolicy-1.2-spec-ed-01-r03-diff.pdf
> 
> Artifact:  spec
> 
> Type: desing
> 
> Title: [Protection Order] Property using same source for keys
> 
> Description:
> 
> In "EncryptBeforeSigning" the spec states that both keys MUST derived
> from the same source. What does this mean? Use the same certificate
> for both actions (for example if a X509 cert is used). In that case
> this seems an unnecessary restriction. At least WS Security does not
> mandate this. Also using the same cert to encrypt and sign is not a
> good security practice.

[MJG]
If derived keys are being used, then the derived key used for encryption
and the derived key used for signature MUST be derived from the same
source key ( which in the case of X509 certs would typically be an
encrypted key per WSS 1.1 ). We should clarify the text here.

> 
> Related issues:
> i009 Support for different key pairs for sign and encrypt in SP
> 
> Proposed Resolution:
> Extend the ws-sp spec to support different key sources.
> 
> Werner Dittmann
> Siemens COM MN CC BD TO
> mailto:Werner.Dittmann@siemens.com
> Tel:   +49(0)89 636 50265
> Mobil: +49(0)172 85 85 245
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]