[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [NEW ISSUE] Scoping an RM sequence to a security context
Title: Scoping an RM sequence to a security
context Description/Justification: There are several threats, hijacking [1] and signature
replacement [2], that can best be mitigated by binding the RM sequence to a
specific security context identified by a token. For the sake of
interoperability it is best that this capability be defined in the protocol
rather than be left to a implementation detail for implementers and/or users of
the protocol. Likewise it should be possible for an RMD to represent that it
does or does not support this capability. Target: core Type: design Proposal: WS-RM Changes Line numbers from WS-RM CD 02 Add “An RM Destination MUST fault if it does not
understand information passed using this extensibility mechanism.” to the
end of lines 297 and 300. The above would mean prevent an RMD from silently ignoring
use of the extensibility points in the create sequence and would read in the
spec as follows: /wsrm:CreateSequence/{any} This is an extensibility mechanism to allow different
(extensible) types of information, based on a schema, to be passed. An RM
Destination MUST fault if it does not understand information passed using this
extensibility mechanism. /wsrm:CreateSequence/@{any} This is an extensibility mechanism to allow additional
attributes, based on schemas, to be added to the element. An RM Destination
MUST fault if it does not understand information passed using this
extensibility mechanism. Add the following after line 300: /wsrm:CreateSequence/wsse:SecurityTokenReference This optional element uses the extensibility mechanism
defined above to communicate an explicit reference to the security token to be
used to authorize messages for the created outbound Sequence and if offered the
inbound Sequence, using a <wsse:SecurityTokenReference> as documented in
WS-Security [WSSecurity]. All subsequent messages in the outbound Sequence and
if offered the inbound Sequence MUST demonstrate proof-of-possession of the
referenced key. WS-RM Policy Changes Line numbers from WS-RM Policy CD 02 Line 96 Change: “defines a single RM policy assertion” To: “defines two RM policy assertions” Add a new assertion description as follows after line 116: WS-SecurityPolicy [WS-SecurityPolicy] provides a framework
and grammar for expressing the security requirements and characteristics of
entities in a XML web services based system. The Secure Sequence Binding
assertion allows the expression of additional security requirements particular
to RM sequences to be used in conjunction with WS-SecurityPolicy. Specifically
it defines that an RM sequence MUST be bound to an explicit token. The RM Security assertion MUST NOT be used for an endpoint
that does not also use the RM assertion. Add the following after line 141: The normative outline for the Secure Sequence Binding
Assertion is: <wsrmp:SecureSequenceBinding [wsp:Optional="true"]? ... > </wsrmp:SecureSequenceBinding > /wsrmp:SecureSequenceBinding A policy assertion that specifies security requirements
which MUST be used with an RM Sequence that are particular to WS-RM and beyond
what can be expressed in WS-SecurityPolicy. /wsrm:SecureSequenceBinding
/@wsp:Optional="true" Per WS-Policy [WS-Policy], this is compact notation for
two policy alternatives, one with and one without the assertion. The intuition
is that the behavior indicated by the assertion is optional, or in this case,
that the RM Sequence binding to a specific token MAY be used. Line 143 Change: “Because the RM policy assertion indicates
endpoint behavior over an RM Sequence, the assertion has” To: “Because the RM policy assertions indicate
endpoint behavior over an RM Sequence, the assertions have” Assertion example and schema outline TBD Reference: 1 hijacking threat http://lists.oasis-open.org/archives/ws-rx/200602/msg00037.html
2 signature replacement threat http://lists.oasis-open.org/archives/ws-rx/200602/msg00038.html
Marc Goodner Technical Diplomat Microsoft Corporation Tel: (425) 703-1903 Blog: http://spaces.msn.com/mrgoodner/
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]