OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

imi-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Comments to Identity Metasystem Interoperability Version 1.0 Committee Draft 02

Greetings, all!


My thoughts are considered with section It can be enhanced by replacing with the following wordings. The intoduced change localizes an RSA algorithm specifics in one paragraph. Additionally, describing usages of other algorithms becomes smaller and simpler.


When requesting an asymmetric key token, an Identity Selector MUST submit the public key to the IP/STS by augmenting the RST request as follows:

         The RST MUST include a wst:KeyType element with one of the two following URI values, depending upon the version of WS-Trust being used:



         The RST SOAP body MUST include a wst:UseKey element containing the public key to be used as proof key in the returned token.

         The RST SOAP security header SHOULD include a supporting signature to prove ownership of the corresponding private key. The ds:KeyInfo element within the signature, if present, MUST include the same public key as in the wst:UseKey element in the SOAP body.

         The supporting signature, if present, MUST be placed in the SOAP security header where the signature for an endorsing supporting token would be placed as per the security header layout specified in WS-SecurityPolicy.


It is RECOMMENDED that an Identity Selector generate an ephemeral RSA key pair for use as the proof key. Usage of other algorithms is not described. In RSA case the public key MUST be present as a raw RSA key in the form of a ds:RSAKeyValue element inside a ds:KeyValue element in a wst:UseKey element. The generated RSA key pair MUST be at least 1024-bits in size.

From a line 1108 all remains the same to the end of section, except a little modification on a line 1152. Here I suggest to replace “the RSA key” by “the public key”.


Pavel Smirnov

Tel./Fax: +7 495 780-4820


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]