[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ekmi] Groups - SKSML-DRAFT7 Specification, XSD and sample instances(ZIP) (sksml-draft7.zip) uploaded
Hi Upendra, Welcome to the EKMI TC. I hope you don't mind my copying the TC on this response, since the answer will benefit everyone. The SKSML protocol focuses on only authentication, message integrity and confidentiality - all of which, as you pointed out, are provided by the WSS layer in SOAP. The authorization is a separate function of the SKS server, and can be implemented by the protocol implementers either through local access control policies or through XACML calls to an XACML engine, either on the same or another machine. In the open-source implementation, StrongKey, the authorization rules are local access-control rules. It uses a combination of the client's certificate DN from the WSS header of the request (every SKMS client must have an X509 digital certificate) to participate in the protocol), group-memberships that the client DN belongs to, and the KeyUsePolicy which applies to the client, the group, or by default to the entire SKMS, to determine its authorizations in the SKMS. Steps 7 & 8 in the following document does this function: http://www.strongkey.org/index.php?option=com_content&task=view&id=88&Itemid=35 However, once the server sends the key to the client, the object also includes a KeyUsePolicy which MUST be enforced by the Symmetric Key Client Library (SKCL). This is the only way that a site knows that its key-management policies are being adhered to on the, potentially disconnected, client-device. Auditors will have to verify that the SKCL library deployed on clients is the same one authorized by the Security Office of the SKMS site. Message-digest comparison checks on a sufficient sampling of randomly selected client devices will tell the auditors if the site has control over its SKMS and policy-enforcement; this is no different from standard financial accounting practices, BTW. I hope that answers your question. Arshad Mardikar, Upendra wrote: > Hi Arshad > Just skimmed over the doc (for the first time). I didn't see in the doc, authorization aspect of it. > e.g. skcl sends request for symm key. It signs request using WS-Security. But is the plan to not get into authorization? > e.g. how is the authorization granted when a particular client device is allowed to have symm key? > Regards > Upendra > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]