[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx] Use-Case and Proposed Solution for i010 (long)
[PM] Yes, thats reasonable. That was the main concern here. I do think that some additional language is needed in section 9.1. How about adding something like the following after 1718: The requestor MAY provide proof of possession of the key associated with the OnBehalfOf identity by including a signature in the RST security header. Additional signed supporting tokens describing the OnBehalfOf context MAY also be included within the RST security header. [\PM] I would modify the proposed text slightly: The requestor MAY provide proof of possession of the key associated with the OnBehalfOf identity by including a signature in the RST security header generated using the OnBehalfOf token that signs the primary signature of the RST (i.e. endorsing supporting token concept from WS-SecurityPolicy). Additional signed supporting tokens describing the OnBehalfOf context MAY also be included within the RST security header. How does this sound to you? [PM] <snip> It is a separate issue how the STS or any consumer is going to resolve all of these identities and make its judgements. But that problem isnt peculiar to the use-case; its a general problem with the WSS 1.x specifications. [\PM] Yes I agree that this is out of scope of WS-SX and WS-Trust in particular. It seems to me that we are both in agreement that your scenario can be done without changing the semantics of OnBehalfOf element, right? Are you OK to change issue 10 to add the proposed text into section 9.1 after line 1718 and be done with it? Thanks, --Jan -----Original Message----- From: Prateek Mishra [mailto:prateek.mishra@oracle.com] Sent: Monday, March 13, 2006 11:54 AM To: ws-sx@lists.oasis-open.org Cc: Jan Alexander; Darren Platt Subject: Re: [ws-sx] Use-Case and Proposed Solution for i010 (long) >After reading the document it seems to me that your scenario can be done >by using the current WS-Trust specification without requiring any >changes. > > > [PM] OK, that would be great. My interest is in making sure that the use-case is accommodated, with or without changes to the spec. [\PM] >Here is how I would do that using the current specs: > >I would use WS-SecurityPolicy endorsing supporting token concept >(additional token inside the wsse:Security header that is used to sign >the primary message signature); the endorsing token will represent the >on-behalf-of party; this token will then be linked from within >OnBehalfOf RST element using STR. > > > [PM] Making a little diagram here: SOAP< Header< Intermediary token and signature1; Endorsing token and signature2 over signature1> Body<...OnBehalfOf(STR reference to endorsing token) ...> > Right? Suppose we make this a little more explicit. Lets assume that the OnBehalfOf identity is expressed by a X.509 certificate and an associated private-public key pair. Then we have: SOAP< Header<Intermediary token and signature1; BST(X.509) and signature2 over signature1> Body< ..OnBehalfOf(STR-Direct Reference to BST(X.509))..> > [\PM] >By using endorsing supporting token to represent on-behalf-of party, the >initiator proves the possession of the endorsing supporting token's key >by signing the primary message signature with it. > > > [PM] Yes, thats reasonable. That was the main concern here. I do think that some additional language is needed in section 9.1. How about adding something like the following after 1718: The requestor MAY provide proof of possession of the key associated with the OnBehalfOf identity by including a signature in the RST security header. Additional signed supporting tokens describing the OnBehalfOf context MAY also be included within the RST security header. [\PM] >Because the endorsing signature is contained in message wsse:Security >header, it is not necessary to extend the OnBehalfOf element to allow >signatures in it. > >The advantage of this approach is that it uses existing concepts defined >by WS-SecurityPolicy to represent the on-behalf-of party; it does not >define a new way to represent and authenticate it. > > > [PM] I agree this is a good idea. [\PM] >Regardless of this, I would push back on your proposal in section 3.2.2. >in your document, because I have security concerns regarding this >proposal. By signing only reference(s) to on-behalf-of tokens, you don't >bind those tokens and the signature to the message instance. Therefore >an attacker can take those out and use them in different message and the >information in OnBehalfOf will still be valid. Please note that >endorsing token approach does not have this weakness, since the >endorsing signature signs the primary message signature, therefore it >cannot be used with any other message. > [PM] This is a suggestion or a starting point only. I take your point that it is vulnerable to certain threats as stated. [\PM] > >It is not clear to me why are you proposing to allow multiple >STRs/tokens inside OnBehalfOf element. Your scenario does not seem to >require this and I cannot find any other which would require using >multiple tokens to identify on-behalf-of party. Can you please help me >understand why do you think this is necessary? > [PM] If you look at the use-case document (flow 1a and 2), there are two tokens that describe the application security context: a signed supporting token describing the user and a HR signing token, together with a signature. This captures the notion that the HrApp is acting on behalf of Joe. I actually believe your solution would support this as well. Re-doing the SOAP diagram we now have: SOAP< Header<Intermediary token and signature1; SupportingToken; BST(X.509) and signature2 over (signature1 and Supporting Token)> Body< ..OnBehalfOf(STR-Direct Reference to BST(X.509))..> > Does that work for you? It is a separate issue how the STS or any consumer is going to resolve all of these identities and make its judgements. But that problem isnt peculiar to the use-case; its a general problem with the WSS 1.x specifications. [\PM] References: *Use-Case and Proposed Solution for i010 <msg00108.html> http://www.oasis-open.org/archives/ws-sx/200602/msg00108.html *
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]