OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

imi-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [imi-comment] Comments to Identity Metasystem InteroperabilityVersion 1.0 Committee Draft 02

We are tracking this with issue IMI-1.

http://tools.oasis-open.org/issues/browse/IMI-1

 

 

From: Pavel V. Smirnov [mailto:spv@cryptopro.ru]
Sent: Wednesday, March 11, 2009 8:41 AM
To: imi-comment@lists.oasis-open.org
Subject: [imi-comment] Comments to Identity Metasystem Interoperability Version 1.0 Committee Draft 02

 

Greetings, all!

 

My thoughts are considered with section 3.3.5.2. It can be enhanced by replacing with the following wordings. The intoduced change localizes an RSA algorithm specifics in one paragraph. Additionally, describing usages of other algorithms becomes smaller and simpler.

 

When requesting an asymmetric key token, an Identity Selector MUST submit the public key to the IP/STS by augmenting the RST request as follows:

·         The RST MUST include a wst:KeyType element with one of the two following URI values, depending upon the version of WS-Trust being used:

http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey

http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey

·         The RST SOAP body MUST include a wst:UseKey element containing the public key to be used as proof key in the returned token.

·         The RST SOAP security header SHOULD include a supporting signature to prove ownership of the corresponding private key. The ds:KeyInfo element within the signature, if present, MUST include the same public key as in the wst:UseKey element in the SOAP body.

·         The supporting signature, if present, MUST be placed in the SOAP security header where the signature for an endorsing supporting token would be placed as per the security header layout specified in WS-SecurityPolicy.

 

It is RECOMMENDED that an Identity Selector generate an ephemeral RSA key pair for use as the proof key. Usage of other algorithms is not described. In RSA case the public key MUST be present as a raw RSA key in the form of a ds:RSAKeyValue element inside a ds:KeyValue element in a wst:UseKey element. The generated RSA key pair MUST be at least 1024-bits in size.

From a line 1108 all remains the same to the end of section, except a little modification on a line 1152. Here I suggest to replace “the RSA key” by “the public key”.

 

Pavel Smirnov

Crypto-Pro
Tel./Fax: +7 495 780-4820
WWW: http://www.CryptoPro.ru
e-mail: spv@CryptoPro.ru

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]