Re: [wsrp] IBM's answers to Security Questions

[Richard Jacob <richard.jacob@de.ibm.com>]

> Considering the number of customer requests for interoperable security
> profiles and the lack of a standardized policy framework for negotiating
> a security profile to use for WSRP-related messages, the WSRP TC is
> seeking input about whether simple interim, interoperable profiles could
> be defined for the use case of multiple vendor's implementations being
> deployed within a single security domain in the mid-2006 timeframe.
>
> 1. The WSRP use case involves an intermediary (the WSRP Consumer) acting
> on behalf of an End-User when interacting with the web service provider
> (the WSRP Producer). As a result, there is an interest in transferring
> the identities of both the WSRP Consumer and the End-User to the WSRP
> Producer. This results in several questions:
> 1.a. Do you support the receipt of multiple identities (Consumer and
> End-User) on a SOAP message which can be separately queried by the
> provider application? Do you support sending multiple identities?

Up to two tokens. Processed in order they appear.
Security context seen by the application established on one token.

Alternatively able to receive a signed security token.
First, check of dsig, if successfull processing of the token.
Security Context established based on that token.

> 1.b. What WS-Security tokens will be supported for transferring
> identities (e.g. UserName, SAML, Kerberos, Digital Signature, etc)?

Username, Username/PW, Binary tokens containing X.509 certificates, LTPA
(Lightweight Third Party Authentication) tokens.
Other binary token types can be inserted via plugins.
XML based tokens also supported via plugins. Any arbitrary XML token could
be inserted and validated.

> 1.c. Would transferring the End-User identity via a WS-Security token
> and the Consumer identity via transport-level security be supported?

Yes, using one of the above means as a token. And using SSL client
certificates on the transport level.
Producer can also use this mechanism. First check SSL client cert, then
process security token.
Security Context established on token.

> 1.d. Any restrictions on how multiple identities can be attached to a
> particular SOAP message?

Besides the fact, that there is no definition on how/in which order to
process multiple token (unless processing logic is deterministic), I don't
see limitations here.
However security context established (seen by the app) only on one token.
The first token as an aid to establish trust.

> 2. What security granularity is expected when transferring an identity
> (for example; portals often have a concept of user role that relates to
> the End-User's current use of the portal rather than their identity ...
> is the transfer of such attributes supported (e.g. via SAML attributes))?

No. But could be realized via a plugin and XML based token.
Questioning if this is desired for the scenarios we want to solve.

> 3. Is support for maintaining security contexts for multiple web service
> requests anticipated? If so, using what security technology (e.g.
> WS-SecureConversation)?

Not at this time.

> 4. Is automated configuration of all endpoints supported? If so, how are
> any particular inputs to the process indicated, supported, standardized
> and maintained?

Not at this time.

Mit freundlichen Gruessen / best regards,

        Richard Jacob
______________________________________________________
IBM Lab Boeblingen, Germany
Dept.8288, WebSphere Portal Server Development
WSRP Team Lead & Technical Lead
WSRP Standardization
Phone: ++49 7031 16-3469  -  Fax: ++49 7031 16-4888
Email: mailto:richard.jacob@de.ibm.com