RE: [ws-sx] Issue 55: Clarification on RequireDerivedKeys and X509Token under AsymmetricBinding

["Martin Gudgin" <mgudgin@microsoft.com>]

But signatures are performed using asymmetric keys and there is text in
section 5.2.1 of [1] that says 

"Where the key material associated with a token is asymmetric, this
property applies to the use of symmetric keys encrypted with the key
material associated with the token."

Gudge


[1]
http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/17889/ws
-securitypolicy-1.2-spec-ed-01-r06.pdf 

> -----Original Message-----
> From: K.Venugopal@Sun.COM [mailto:K.Venugopal@Sun.COM] 
> Sent: 02 June 2006 06:01
> To: Martin Gudgin
> Cc: Paul Cotton; ws-sx@lists.oasis-open.org
> Subject: Re: [ws-sx] Issue 55: Clarification on 
> RequireDerivedKeys and X509Token under AsymmetricBinding
> 
> Hi Martin.
> 
> As per below mentioned description it would mean to ignore 
> RequireDerivedKeys element incase of signatures. But as per section 
> 5.2.1[1] it is a
> MUST to use derived keys if the RequireDerivedKey element is present
> 
> +++++Quoting from the 5.2.1 [1]++++++
> This boolean property specifies whether derived keys should 
> be used as 
> defined in WS797
> SecureConversation. If the value is 'true', derived keys MUST 
> be used. 
> If the value is 'false',
> 798 derived keys MUST NOT be used. The value of this property 
> applies to 
> a specific token. The
> 799 value of this property is populated by assertions specific to the 
> token. The default value for
> 800 this property is 'false'.
> 
> ++++++++
> 
> Regards
> Venu
> 
> [1]http://www.oasis-open.org/apps/org/workgroup/ws-sx/download
.php/17889/ws-securitypolicy-1.2-spec-ed-01-r06.pdf
> 
> 
> Martin Gudgin wrote:
> > I've now had chance to spend some time looking at this. 
> Given the policy
> > below I would expect the following;
> >
> > 1.	the request message would be signed with the initiator's private
> > key and encrypted with a key derived from a symmetric key that is
> > encrypted with the recipient's public key. 
> > 2.	the response message would be signed with the recipient's
> > private key and encrypted with a key derived from a 
> symmetric key that
> > is encrypted with the initiator's public key.
> >
> > In both cases how the key is derived will be specified in the
> > wsc:DerivedKeyToken in the message.
> >
> > Cheers
> >
> > Gudge
> >
> >   
> >> -----Original Message-----
> >> From: K.Venugopal@Sun.COM [mailto:K.Venugopal@Sun.COM] 
> >> Sent: 11 April 2006 10:42
> >> To: Paul Cotton
> >> Cc: ws-sx@lists.oasis-open.org
> >> Subject: Re: [ws-sx] Issue 55: Clarification on 
> >> RequireDerivedKeys and X509Token under AsymmetricBinding
> >>
> >> Hi Paul,
> >>
> >> Sorry for the delayed response , please see inline
> >>
> >> Paul Cotton wrote:
> >>     
> >>> From today's F2F draft minutes:
> >>>
> >>> ===
> >>> i055   Clarification on RequireDerivedKeys and X509Token under 
> >>> AsymmetricBinding   
> >>> http://lists.oasis-open.org/archives/ws-sx/200603/msg00121.html
> >>>
> >>> The TC discussed this issue but it was not clear what use 
> >>>       
> >> the case that
> >>     
> >>> K. Venugopal was discussing.  The TC would like him to 
> >>>       
> >> better explain
> >>     
> >>> his use case so that we can understand the issue.
> >>> ==
> >>>
> >>> Please clarify your use case and/or restate your questions 
> >>>       
> >> since the TC
> >>     
> >>> does not yet understand your questions.
> >>>
> >>>   
> >>>       
> >> <deleted/>
> >> In context  to my previous mail let me know if this helps.
> >>
> >> If I have a policy like shown below , I  would like to 
> know how the 
> >> message is secured. How are the keys derived.
> >>
> >> <sp:AsymmetricBinding 
> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> >>     <wsp:Policy>
> >>         <sp:InitiatorToken>
> >>             <wsp:Policy>
> >>                 <sp:X509Token 
> >> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securit
> >> ypolicy/IncludeToken/AlwaysToRecipient">
> >>                     <wsp:Policy>
> >>                         <sp:WssX509V3Token10 />
> >>                         <sp:RequireDerivedKeys/>
> >>                     </wsp:Policy>
> >>                 </sp:X509Token>
> >>             </wsp:Policy>
> >>         </sp:InitiatorToken>
> >>
> >>         <sp:RecipientToken>
> >>             <wsp:Policy>
> >>                 <sp:X509Token 
> >> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securit
> >> ypolicy/IncludeToken/Never">
> >>                     <wsp:Policy>
> >>                         <sp:WssX509V3Token10 />
> >>                         <sp:RequireDerivedKeys/>
> >>                     </wsp:Policy>
> >>                 </sp:X509Token>
> >>             </wsp:Policy>
> >>         </sp:RecipientToken>
> >>
> >>         <sp:AlgorithmSuite>
> >>             <wsp:Policy>
> >>                 <sp:Basic256 />
> >>             </wsp:Policy>
> >>         </sp:AlgorithmSuite>
> >>
> >>         <sp:Layout>
> >>             <wsp:Policy>
> >>                 <sp:Lax />
> >>             </wsp:Policy>
> >>         </sp:Layout>
> >>
> >>         <sp:IncludeTimestamp />
> >>
> >>         <sp:OnlySignEntireHeadersAndBody />
> >>     </wsp:Policy>
> >> </sp:AsymmetricBinding>
> >>
> >> Thank You,
> >> Venu
> >>
> >>     
> 
>