RE: [ws-sx] Issue 55: Clarification on RequireDerivedKeys and X509Token under AsymmetricBinding

["Martin Gudgin" <mgudgin@microsoft.com>]

I've now had chance to spend some time looking at this. Given the policy
below I would expect the following;

1.	the request message would be signed with the initiator's private
key and encrypted with a key derived from a symmetric key that is
encrypted with the recipient's public key. 
2.	the response message would be signed with the recipient's
private key and encrypted with a key derived from a symmetric key that
is encrypted with the initiator's public key.

In both cases how the key is derived will be specified in the
wsc:DerivedKeyToken in the message.

Cheers

Gudge

> -----Original Message-----
> From: K.Venugopal@Sun.COM [mailto:K.Venugopal@Sun.COM] 
> Sent: 11 April 2006 10:42
> To: Paul Cotton
> Cc: ws-sx@lists.oasis-open.org
> Subject: Re: [ws-sx] Issue 55: Clarification on 
> RequireDerivedKeys and X509Token under AsymmetricBinding
> 
> Hi Paul,
> 
> Sorry for the delayed response , please see inline
> 
> Paul Cotton wrote:
> > From today's F2F draft minutes:
> >
> > ===
> > i055   Clarification on RequireDerivedKeys and X509Token under 
> > AsymmetricBinding   
> > http://lists.oasis-open.org/archives/ws-sx/200603/msg00121.html
> >
> > The TC discussed this issue but it was not clear what use 
> the case that
> > K. Venugopal was discussing.  The TC would like him to 
> better explain
> > his use case so that we can understand the issue.
> > ==
> >
> > Please clarify your use case and/or restate your questions 
> since the TC
> > does not yet understand your questions.
> >
> >   
> <deleted/>
> In context  to my previous mail let me know if this helps.
> 
> If I have a policy like shown below , I  would like to know how the 
> message is secured. How are the keys derived.
> 
> <sp:AsymmetricBinding 
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>     <wsp:Policy>
>         <sp:InitiatorToken>
>             <wsp:Policy>
>                 <sp:X509Token 
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securit
> ypolicy/IncludeToken/AlwaysToRecipient">
>                     <wsp:Policy>
>                         <sp:WssX509V3Token10 />
>                         <sp:RequireDerivedKeys/>
>                     </wsp:Policy>
>                 </sp:X509Token>
>             </wsp:Policy>
>         </sp:InitiatorToken>
> 
>         <sp:RecipientToken>
>             <wsp:Policy>
>                 <sp:X509Token 
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securit
> ypolicy/IncludeToken/Never">
>                     <wsp:Policy>
>                         <sp:WssX509V3Token10 />
>                         <sp:RequireDerivedKeys/>
>                     </wsp:Policy>
>                 </sp:X509Token>
>             </wsp:Policy>
>         </sp:RecipientToken>
> 
>         <sp:AlgorithmSuite>
>             <wsp:Policy>
>                 <sp:Basic256 />
>             </wsp:Policy>
>         </sp:AlgorithmSuite>
> 
>         <sp:Layout>
>             <wsp:Policy>
>                 <sp:Lax />
>             </wsp:Policy>
>         </sp:Layout>
> 
>         <sp:IncludeTimestamp />
> 
>         <sp:OnlySignEntireHeadersAndBody />
>     </wsp:Policy>
> </sp:AsymmetricBinding>
> 
> Thank You,
> Venu
>