[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ekmi] Groups - SKSML-DRAFT7 Specification, XSD and sample instances(ZIP) (sksml-draft7.zip) uploaded
Hi, I think this information, about encryption certificate, needs to be in the spec. For version 2 we should look at this more in depth as well. Since it's a crucial part of the system I believe it is a large risk of bad interoperability if left completely up to the implementations. Regards, Tomas Arshad Noor wrote: > Maybe you need OO 3.0, Tomas. I last edited the document using > 3.0, so perhaps there is a bug that causes OO 2.4 to incorrectly > read TOCs. > > I also realized that I forgot to address the more important comment > related to certificates. My apologies. > > The SKSML protocol does not specify which public-key to use to > encrypt symmetric-keys on the server or the clients, because that > is a site-implementation detail. > > A site implementing an SKMS can make its own determination how it > wants to implement this part of the EKMI security. Some sites may > want to choose a single transport certificate for all clients while > others may choose individual ones. Some may choose to combine the > signing and encryption capabilities into the same certificate while > others may separate it. > > I don't believe the messaging protocol should specify this. However, > in the StrongKey implementation, we force the requirement that the > SKS server MUST have the encryption certificate in its database for > each authorized client before it will transport the symmetric key to > the requestor. This enforces the security policy that the SKS server > only sends responses back to clients protected with a transport key > it already knows about. > > Additionally, because all database records in the SKS database are > digitally signed, an attacker attempting to replace this certificate > directly in the DBMS, with one of their own, will fail to get the > symmetric key because the signature will fail on the object; only > the authorized Administrator through the console can modify objects > in the DB and recreate a new signature on the DB object using the > private key on the HSM on the server. > > So, while the WSS header does have the certificate in it, I need to > review the WSS protocol to see if a site can dispense sending it > around for the transport key; it may still be necessary for the > signing certificate to be in the WSS header. > > I hope that answers the question. > > Arshad > > Tomas Gustavsson wrote: >> >> Yes I am using OpenOffice 2.4 on Ubuntu 8.04. On page 44 the heading >> says: >> 2.1 Element <KeyClasses> and <KeyClass> >> according to the TOC it should be 4.3 and on page 42. >> >> If I update the TOC it changes... >> >> The PDF is correct though, so I don't know what secret sauce >> OpenOffice is drinking... >> >> /Tomas >> >> Arshad Noor wrote: >>> Thanks for your comments, Tomas and for catching the errors. >>> >>> I'm not sure how you're seeing section numbers 1.3, 1.8, etc. >>> since these examples are in Chapter 3. Additionally, section >>> 4.5 is there; on page 44 as the TOC says so. >>> >>> Are you using OpenOffice 2.4 or 3.0 to see the editable version? >>> Even the PDF looks correct to me in Acrobat Reader 8.1.2 (Linux). >>> >>> Arshad >>> >>> P.S. Everybody probably got the e-mail about the update I made >>> to DRAFT7, but if not, here it is again: >>> >>> http://www.oasis-open.org/committees/document.php?document_id=29997 >>> >>> >>> Tomas Gustavsson wrote: >>>> >>>> Hi Arshad, I have a few very small comments. >>>> >>>> First a few editorial comments: >>>> ----- >>>> 1.3 >>>> Strange sentence: >>>> The client application (linked to the call SKCL) will an API method >>>> within the SKCL for the appropriate symmetric key. >>>> -> >>>> The client application (that has been linked to the SKCL) will call >>>> an API method within the SKCL for the appropriate symmetric key. >>>> >>>> Chapters: >>>> 1.8 Response with multiple new symmetric keys >>>> 1.1 Response with an SKS error ?? >>>> >>>> Actually chapter numbering is completely off, I was trying to find >>>> "4.5 Element <SymKeyResponse"" from the table of contents, but it is >>>> not to be found. >>>> >>>> 1.1 Response with a pending Request ID >>>> Sentence cut: >>>> "Alternatively, when the" >>>> ----- >>>> >>>> And last a small comment, I followed your discussion with Anders >>>> Rundgren and it's kind of related. >>>> ----- >>>> There is no specification which public key is used to encrypt the >>>> symmetric key returned in the <SymKey> type. Is it the "ValueType >>>> attribute containing the value >>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3." >>>> from the <SymKeyRequest>? >>>> >>>> This puts some limitations on this certificate, i.e. KeyUsage >>>> digitalSignature, keyEncipherment, but these limitations I >>>> understand is part of the profile as you have explained to Anders, >>>> which is fine with me. >>>> >>>> Some words of specifying with what you encrypt the SymKey is needed >>>> I think. >>>> ----- >>>> >>>> Regards, >>>> Tomas >>>> >>>> arshad.noor@strongauth.com wrote: >>>>> Hi folks, >>>>> >>>>> My apologies for taking some time to finish this, but there were >>>>> far more >>>>> ripple effects with the inclusion of support for asynchronous >>>>> messaging and >>>>> the Standard Error Codes. However, the Public Review 02 >>>>> Specification is >>>>> complete. >>>>> >>>>> Here is a synopsis of the changes: >>>>> >>>>> This version includes the following changes: >>>>> >>>>> 01) Created the SymkeyWorkInProgressType to support asynchronous >>>>> requests >>>>> and responses between SKCLs and SKS servers. While the SKSML >>>>> request >>>>> >>>>> will still be enclosed in a SOAP element with a digital >>>>> signature, the >>>>> >>>>> request may now be sent over other protocols besides HTTP (such >>>>> as SMTP). >>>>> 02) Created a SymkeyRequestID element and >>>>> SymkeyRequestIDType to allow >>>>> the >>>>> client and server to track an asynchronous request and response. >>>>> 03) Created the RequestCheckIntervalType to allows the SKS >>>>> server to tell >>>>> clients how frequently they may poll a server on a >>>>> work-in-progress request. >>>>> 04) Modified SymkeyType to include the SymkeyRequestID >>>>> element to >>>>> correlate >>>>> symkey responses with requests on the client side. >>>>> 05) Modified SymekyError to include the SymkeyRequestID element >>>>> to correlate errors with requests on the client side. >>>>> >>>>> 06) Added SKMS Standard Error Codes & Messages in Appendix C. >>>>> >>>>> 07) Added the Vendor Process for requesting a reserved block of >>>>> SKMS Error >>>>> Codes in Appendix D. >>>>> >>>>> Please review these changes. I am submitting a ballot for the TC >>>>> to submit >>>>> this for Public Review. We are required to do this for 15 days >>>>> given that >>>>> we have made changes to the protocol. The TC will have >>>>> approximately 3 >>>>> weeks (1 week for ballot + 2 weeks for PR2) to get comments back on >>>>> these >>>>> changes. However, I would encourage you to submit feedback as >>>>> early as >>>>> possible. >>>>> >>>>> Once we are complete with PR2 and have addressed any comments at >>>>> that time, >>>>> we will be at the penultimate step of the standards vote. >>>>> >>>>> Thanks for your patience. >>>>> >>>>> -- Arshad Noor* >>>>> >>>>> The document named SKSML-DRAFT7 Specification, XSD and sample >>>>> instances >>>>> (ZIP) (sksml-draft7.zip) has been submitted by Arshad Noor* to the >>>>> OASIS >>>>> Enterprise Key Management Infrastructure (EKMI) Technical Committee >>>>> document repository. >>>>> >>>>> Document Description: >>>>> DRAFT 7 of the SKSML 1.0 Specification (Public Review 02), the EKMI >>>>> XML >>>>> Schema Definition and sample schema instances. >>>>> >>>>> View Document Details: >>>>> http://www.oasis-open.org/committees/document.php?document_id=29914 >>>>> >>>>> Download Document: >>>>> http://www.oasis-open.org/committees/download.php/29914/sksml-draft7.zip >>>>> >>>>> >>>>> >>>>> PLEASE NOTE: If the above links do not work for you, your email >>>>> application >>>>> may be breaking the link into two pieces. You may be able to copy >>>>> and paste >>>>> the entire link address into the address field of your web browser. >>>>> >>>>> -OASIS Open Administration
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]