[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ws-sx] Issue 55: Clarification on RequireDerivedKeys andX509Token under AsymmetricBinding
Hi Martin. As per below mentioned description it would mean to ignore RequireDerivedKeys element incase of signatures. But as per section 5.2.1[1] it is a MUST to use derived keys if the RequireDerivedKey element is present +++++Quoting from the 5.2.1 [1]++++++ This boolean property specifies whether derived keys should be used as defined in WS797 SecureConversation. If the value is 'true', derived keys MUST be used. If the value is 'false', 798 derived keys MUST NOT be used. The value of this property applies to a specific token. The 799 value of this property is populated by assertions specific to the token. The default value for 800 this property is 'false'. ++++++++ Regards Venu [1]http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/17889/ws-securitypolicy-1.2-spec-ed-01-r06.pdf Martin Gudgin wrote: > I've now had chance to spend some time looking at this. Given the policy > below I would expect the following; > > 1. the request message would be signed with the initiator's private > key and encrypted with a key derived from a symmetric key that is > encrypted with the recipient's public key. > 2. the response message would be signed with the recipient's > private key and encrypted with a key derived from a symmetric key that > is encrypted with the initiator's public key. > > In both cases how the key is derived will be specified in the > wsc:DerivedKeyToken in the message. > > Cheers > > Gudge > > >> -----Original Message----- >> From: K.Venugopal@Sun.COM [mailto:K.Venugopal@Sun.COM] >> Sent: 11 April 2006 10:42 >> To: Paul Cotton >> Cc: ws-sx@lists.oasis-open.org >> Subject: Re: [ws-sx] Issue 55: Clarification on >> RequireDerivedKeys and X509Token under AsymmetricBinding >> >> Hi Paul, >> >> Sorry for the delayed response , please see inline >> >> Paul Cotton wrote: >> >>> From today's F2F draft minutes: >>> >>> === >>> i055 Clarification on RequireDerivedKeys and X509Token under >>> AsymmetricBinding >>> http://lists.oasis-open.org/archives/ws-sx/200603/msg00121.html >>> >>> The TC discussed this issue but it was not clear what use >>> >> the case that >> >>> K. Venugopal was discussing. The TC would like him to >>> >> better explain >> >>> his use case so that we can understand the issue. >>> == >>> >>> Please clarify your use case and/or restate your questions >>> >> since the TC >> >>> does not yet understand your questions. >>> >>> >>> >> <deleted/> >> In context to my previous mail let me know if this helps. >> >> If I have a policy like shown below , I would like to know how the >> message is secured. How are the keys derived. >> >> <sp:AsymmetricBinding >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> >> <wsp:Policy> >> <sp:InitiatorToken> >> <wsp:Policy> >> <sp:X509Token >> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securit >> ypolicy/IncludeToken/AlwaysToRecipient"> >> <wsp:Policy> >> <sp:WssX509V3Token10 /> >> <sp:RequireDerivedKeys/> >> </wsp:Policy> >> </sp:X509Token> >> </wsp:Policy> >> </sp:InitiatorToken> >> >> <sp:RecipientToken> >> <wsp:Policy> >> <sp:X509Token >> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securit >> ypolicy/IncludeToken/Never"> >> <wsp:Policy> >> <sp:WssX509V3Token10 /> >> <sp:RequireDerivedKeys/> >> </wsp:Policy> >> </sp:X509Token> >> </wsp:Policy> >> </sp:RecipientToken> >> >> <sp:AlgorithmSuite> >> <wsp:Policy> >> <sp:Basic256 /> >> </wsp:Policy> >> </sp:AlgorithmSuite> >> >> <sp:Layout> >> <wsp:Policy> >> <sp:Lax /> >> </wsp:Policy> >> </sp:Layout> >> >> <sp:IncludeTimestamp /> >> >> <sp:OnlySignEntireHeadersAndBody /> >> </wsp:Policy> >> </sp:AsymmetricBinding> >> >> Thank You, >> Venu >> >>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]