OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Issue 120, 121, 122 action items


This mail is to close action items associated with issues 120, 121 and 122.
It is based on Gene Thurston's excellent response to my questions.

Modifications proposed to Username Token Profile, Draft 3, 30 June 2003, merged version.
http://www.oasis-open.org/apps/org/workgroup/wss/download.php/2760/WSS-Username-03-063003-merged.pdf

Issue 120, 121: clarify recommendation to use both nonce & timestamp, use of nonce
Proposal to address both issues:

Change lines [110-113] to be the following:

Two optional elements are introduced in the <wsse:UsernameToken> element to provide a countermeasure for replay attacks: <wsse:Nonce> and <wsu:Created>.  A nonce is a random value that the sender creates to include in 
each Username token that it sends. Although using a nonce is an effective countermeasure against replay attacks, 
it requires a server to maintain a cache of used nonces, consuming server resources. Combining a nonce with a creation timestamp has the advantage of allowing a server to limit the cache of nonces to a "freshness" time period,  establishing a bound on resource requirements.

If either or both of <wsse:Nonce> and <wsu:Created> are present they must be included in the digest value as follows:

----------------------------------

Issue 122: timestamp definition
Proposal:

Change line [175-176] to be:

"This optional <wsu:Created> element specifies a timestamp used to indicate the creation time. 
It is defined as part of the <wsu:Timestamp> definition."

--------------------

regards, Frederick
 
Frederick Hirsch
Nokia Mobile Phones




> -----Original Message-----
> From: ext Gene Thurston [mailto:gthurston@amberpoint.com]
> Sent: Monday, July 14, 2003 9:03 PM
> To: Hirsch Frederick (NMP/Boston); wss@lists.oasis-open.org
> Subject: RE: [wss] Username token profile comments
> 
> 
> Just a couple of comments on Frederick's questions regarding nonce and
> creation timestamp ...
> 
> - Gene Thurston -
> AmberPoint, Inc.
> 
> 
> -----Original Message-----
> From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] 
> Sent: Monday, July 14, 2003 1:02 PM
> To: wss@lists.oasis-open.org
> Subject: [wss] Username token profile comments
> 
> I have a couple of comments on the Username Token Profile, draft 3, 30
> June 2003.
> 
> 1. Why is it recommended that both nonce and creation 
> timestamp be used
> [122] instead of one or the other?
> 
> Does recommending both put a burden on implementations, 
> especially with
> regard to timestamp management and
> possible synchronization? Isn't a nonce adequate for replay 
> attacks when
> chosen? Is there rationale that should
> be stated?
> 
> [gt:] 
> [gt:] I believe the idea is as follows:  Just using a nonce would be 
> [gt:] adequate, but would require the server side to cache 
> used nonces 
> [gt:] forever, thus consuming memory resources.  By having 
> the service 
> [gt:] configurable with a timestamp "freshness" limitation period, it 
> [gt:] will only have to cache nonces for that long.  This is laid out 
> [gt:] in points 2 and 3 (lines 124-130), and I feel that the 
> [gt:] explanation is sufficient, but perhaps I am in a minority there.
> [gt:]
> 
> 2. Is the assumption that the nonce is generated by one party and used
> by the other correct? Or is
> it just a random value from the sender? If the receiver first 
> sends the
> nonce to the requestor and then
> it is used in the token, then this needs to be clear. 
> 
> [gt:]
> [gt:] The nonce is intended to be a random value concocted by 
> the sender
> [gt:] for each message which includes the UsernameToken.  Perhaps this
> [gt:] be explicitly stated here.
> [gt:]
> 
> 3. More generally, does this document need any processing 
> rules stated?
> 
> 4. How is Created timestamp defined [174]? Is it wsu:Timestamp or some
> other schema dataType?
> 
> Some typos:
> 99s;information..;information.;
> 118s;SHA-1 has ;SHA-1 hash ;
> 183 & 201 update wsse, wsu namespaces in examples to match 
> [87] Add wsu
> to [87]?
> 
> [gt:] 
> [gt:] A couple more typos:
> [gt:]  + Two periods in the middle of line 106
> [gt:]  + Bad line-break at 112/113 
> [gt:]  + Missing period at end of line 130 
> [gt:]  + Two periods at end of line 138
> [gt:]
> 
> 
> regards, Frederick
>  
> Frederick Hirsch
> Nokia Mobile Phones
> 
> 
> 
> You may leave a Technical Committee at any time by visiting
> http://www.oasis-open.org/apps/org/workgroup/wss/members/leave
_workgroup
.php





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]