[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [imi-comment] Comments to Identity Metasystem InteroperabilityVersion 1.0 Committee Draft 02
We are tracking this with issue
IMI-1. http://tools.oasis-open.org/issues/browse/IMI-1 From: Pavel V. Smirnov
[mailto:spv@cryptopro.ru] Greetings, all! My thoughts are considered with section 3.3.5.2. It can be
enhanced by replacing with the following wordings. The intoduced change
localizes an RSA algorithm specifics in one paragraph. Additionally, describing
usages of other algorithms becomes smaller and simpler. When requesting an
asymmetric key token, an Identity Selector MUST submit the public key to
the IP/STS by augmenting the RST request as follows: ·
The
RST MUST include a wst:KeyType element with one of the two following
URI values, depending upon the version of WS-Trust being used: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey ·
The
RST SOAP body MUST include a wst:UseKey element containing the public key to
be used as proof key in the returned token. ·
The
RST SOAP security header SHOULD include a supporting signature to prove
ownership of the corresponding private key. The ds:KeyInfo
element within the signature, if present, MUST include the same public key as
in the wst:UseKey element in the SOAP body. ·
The
supporting signature, if present, MUST be placed in the SOAP security header
where the signature for an endorsing supporting token would be placed as per
the security header layout specified in WS-SecurityPolicy. It is RECOMMENDED
that an Identity Selector generate an ephemeral RSA key pair for use as the
proof key. Usage of other algorithms is not described. In RSA case the public
key MUST be present as a raw RSA key in the form of a ds:RSAKeyValue element inside a ds:KeyValue element in a wst:UseKey element. The generated RSA key pair MUST be at least
1024-bits in size. From a line 1108 all remains the same to the end of section,
except a little modification on a line 1152. Here I suggest to replace
“the RSA key” by “the public key”. Pavel Smirnov Crypto-Pro |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]