[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx] Issue 55: Clarification on RequireDerivedKeys and X509Token under AsymmetricBinding
But signatures are performed using asymmetric keys and there is text in section 5.2.1 of [1] that says "Where the key material associated with a token is asymmetric, this property applies to the use of symmetric keys encrypted with the key material associated with the token." Gudge [1] http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/17889/ws -securitypolicy-1.2-spec-ed-01-r06.pdf > -----Original Message----- > From: K.Venugopal@Sun.COM [mailto:K.Venugopal@Sun.COM] > Sent: 02 June 2006 06:01 > To: Martin Gudgin > Cc: Paul Cotton; ws-sx@lists.oasis-open.org > Subject: Re: [ws-sx] Issue 55: Clarification on > RequireDerivedKeys and X509Token under AsymmetricBinding > > Hi Martin. > > As per below mentioned description it would mean to ignore > RequireDerivedKeys element incase of signatures. But as per section > 5.2.1[1] it is a > MUST to use derived keys if the RequireDerivedKey element is present > > +++++Quoting from the 5.2.1 [1]++++++ > This boolean property specifies whether derived keys should > be used as > defined in WS797 > SecureConversation. If the value is 'true', derived keys MUST > be used. > If the value is 'false', > 798 derived keys MUST NOT be used. The value of this property > applies to > a specific token. The > 799 value of this property is populated by assertions specific to the > token. The default value for > 800 this property is 'false'. > > ++++++++ > > Regards > Venu > > [1]http://www.oasis-open.org/apps/org/workgroup/ws-sx/download .php/17889/ws-securitypolicy-1.2-spec-ed-01-r06.pdf > > > Martin Gudgin wrote: > > I've now had chance to spend some time looking at this. > Given the policy > > below I would expect the following; > > > > 1. the request message would be signed with the initiator's private > > key and encrypted with a key derived from a symmetric key that is > > encrypted with the recipient's public key. > > 2. the response message would be signed with the recipient's > > private key and encrypted with a key derived from a > symmetric key that > > is encrypted with the initiator's public key. > > > > In both cases how the key is derived will be specified in the > > wsc:DerivedKeyToken in the message. > > > > Cheers > > > > Gudge > > > > > >> -----Original Message----- > >> From: K.Venugopal@Sun.COM [mailto:K.Venugopal@Sun.COM] > >> Sent: 11 April 2006 10:42 > >> To: Paul Cotton > >> Cc: ws-sx@lists.oasis-open.org > >> Subject: Re: [ws-sx] Issue 55: Clarification on > >> RequireDerivedKeys and X509Token under AsymmetricBinding > >> > >> Hi Paul, > >> > >> Sorry for the delayed response , please see inline > >> > >> Paul Cotton wrote: > >> > >>> From today's F2F draft minutes: > >>> > >>> === > >>> i055 Clarification on RequireDerivedKeys and X509Token under > >>> AsymmetricBinding > >>> http://lists.oasis-open.org/archives/ws-sx/200603/msg00121.html > >>> > >>> The TC discussed this issue but it was not clear what use > >>> > >> the case that > >> > >>> K. Venugopal was discussing. The TC would like him to > >>> > >> better explain > >> > >>> his use case so that we can understand the issue. > >>> == > >>> > >>> Please clarify your use case and/or restate your questions > >>> > >> since the TC > >> > >>> does not yet understand your questions. > >>> > >>> > >>> > >> <deleted/> > >> In context to my previous mail let me know if this helps. > >> > >> If I have a policy like shown below , I would like to > know how the > >> message is secured. How are the keys derived. > >> > >> <sp:AsymmetricBinding > >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> > >> <wsp:Policy> > >> <sp:InitiatorToken> > >> <wsp:Policy> > >> <sp:X509Token > >> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securit > >> ypolicy/IncludeToken/AlwaysToRecipient"> > >> <wsp:Policy> > >> <sp:WssX509V3Token10 /> > >> <sp:RequireDerivedKeys/> > >> </wsp:Policy> > >> </sp:X509Token> > >> </wsp:Policy> > >> </sp:InitiatorToken> > >> > >> <sp:RecipientToken> > >> <wsp:Policy> > >> <sp:X509Token > >> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securit > >> ypolicy/IncludeToken/Never"> > >> <wsp:Policy> > >> <sp:WssX509V3Token10 /> > >> <sp:RequireDerivedKeys/> > >> </wsp:Policy> > >> </sp:X509Token> > >> </wsp:Policy> > >> </sp:RecipientToken> > >> > >> <sp:AlgorithmSuite> > >> <wsp:Policy> > >> <sp:Basic256 /> > >> </wsp:Policy> > >> </sp:AlgorithmSuite> > >> > >> <sp:Layout> > >> <wsp:Policy> > >> <sp:Lax /> > >> </wsp:Policy> > >> </sp:Layout> > >> > >> <sp:IncludeTimestamp /> > >> > >> <sp:OnlySignEntireHeadersAndBody /> > >> </wsp:Policy> > >> </sp:AsymmetricBinding> > >> > >> Thank You, > >> Venu > >> > >> > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]