[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ws-sx] Use-Case and Proposed Solution for i010 (long)
>After reading the document it seems to me that your scenario can be done
>by using the current WS-Trust specification without requiring any
>changes.
>
>
>
[PM]
OK, that would be great. My interest is in making sure that the use-case
is accommodated, with or without changes to the spec.
[\PM]
>Here is how I would do that using the current specs:
>
>I would use WS-SecurityPolicy endorsing supporting token concept
>(additional token inside the wsse:Security header that is used to sign
>the primary message signature); the endorsing token will represent the
>on-behalf-of party; this token will then be linked from within
>OnBehalfOf RST element using STR.
>
>
>
[PM]
Making a little diagram here:
SOAP<
Header< Intermediary token and signature1; Endorsing
token and signature2 over signature1>
Body<...OnBehalfOf(STR reference to endorsing token) ...>
>
Right?
Suppose we make this a little more explicit. Lets assume that the
OnBehalfOf identity is expressed by a X.509 certificate and an
associated private-public key pair.
Then we have:
SOAP<
Header<Intermediary token and signature1; BST(X.509) and
signature2 over signature1>
Body< ..OnBehalfOf(STR-Direct Reference to BST(X.509))..>
>
[\PM]
>By using endorsing supporting token to represent on-behalf-of party, the
>initiator proves the possession of the endorsing supporting token's key
>by signing the primary message signature with it.
>
>
>
[PM] Yes, thats reasonable. That was the main concern here. I do think
that some additional language is needed in section 9.1. How about
adding something like the following after 1718:
The requestor MAY provide proof of possession of the key associated with
the OnBehalfOf identity by
including a signature in the RST security header. Additional signed
supporting tokens describing the OnBehalfOf
context MAY also be included within the RST security header.
[\PM]
>Because the endorsing signature is contained in message wsse:Security
>header, it is not necessary to extend the OnBehalfOf element to allow
>signatures in it.
>
>The advantage of this approach is that it uses existing concepts defined
>by WS-SecurityPolicy to represent the on-behalf-of party; it does not
>define a new way to represent and authenticate it.
>
>
>
[PM] I agree this is a good idea. [\PM]
>Regardless of this, I would push back on your proposal in section 3.2.2.
>in your document, because I have security concerns regarding this
>proposal. By signing only reference(s) to on-behalf-of tokens, you don't
>bind those tokens and the signature to the message instance. Therefore
>an attacker can take those out and use them in different message and the
>information in OnBehalfOf will still be valid. Please note that
>endorsing token approach does not have this weakness, since the
>endorsing signature signs the primary message signature, therefore it
>cannot be used with any other message.
>
[PM] This is a suggestion or a starting point only. I take your point
that it is vulnerable to certain threats as stated. [\PM]
>
>It is not clear to me why are you proposing to allow multiple
>STRs/tokens inside OnBehalfOf element. Your scenario does not seem to
>require this and I cannot find any other which would require using
>multiple tokens to identify on-behalf-of party. Can you please help me
>understand why do you think this is necessary?
>
[PM]
If you look at the use-case document (flow 1a and 2), there are two
tokens that describe the application security context: a signed
supporting token describing the user and a HR signing token, together
with a signature. This captures the notion that the HrApp
is acting on behalf of Joe.
I actually believe your solution would support this as well. Re-doing
the SOAP diagram we now have:
SOAP<
Header<Intermediary token and signature1;
SupportingToken; BST(X.509) and signature2 over (signature1 and
Supporting Token)>
Body< ..OnBehalfOf(STR-Direct Reference to BST(X.509))..>
>
Does that work for you?
It is a separate issue how the STS or any consumer is going to resolve
all of these identities and make its judgements.
But that problem isnt peculiar to the use-case; its a general problem
with the WSS 1.x specifications.
[\PM]
References:
*Use-Case and Proposed Solution for i010 <msg00108.html>
http://www.oasis-open.org/archives/ws-sx/200602/msg00108.html
*
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]