[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ws-sx] Issue 55: Clarification on RequireDerivedKeys andX509Token under AsymmetricBinding
Thank you Martin. Regards, Venu Martin Gudgin wrote: > But signatures are performed using asymmetric keys and there is text in > section 5.2.1 of [1] that says > > "Where the key material associated with a token is asymmetric, this > property applies to the use of symmetric keys encrypted with the key > material associated with the token." > > Gudge > > > [1] > http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/17889/ws > -securitypolicy-1.2-spec-ed-01-r06.pdf > > >> -----Original Message----- >> From: K.Venugopal@Sun.COM [mailto:K.Venugopal@Sun.COM] >> Sent: 02 June 2006 06:01 >> To: Martin Gudgin >> Cc: Paul Cotton; ws-sx@lists.oasis-open.org >> Subject: Re: [ws-sx] Issue 55: Clarification on >> RequireDerivedKeys and X509Token under AsymmetricBinding >> >> Hi Martin. >> >> As per below mentioned description it would mean to ignore >> RequireDerivedKeys element incase of signatures. But as per section >> 5.2.1[1] it is a >> MUST to use derived keys if the RequireDerivedKey element is present >> >> +++++Quoting from the 5.2.1 [1]++++++ >> This boolean property specifies whether derived keys should >> be used as >> defined in WS797 >> SecureConversation. If the value is 'true', derived keys MUST >> be used. >> If the value is 'false', >> 798 derived keys MUST NOT be used. The value of this property >> applies to >> a specific token. The >> 799 value of this property is populated by assertions specific to the >> token. The default value for >> 800 this property is 'false'. >> >> ++++++++ >> >> Regards >> Venu >> >> [1]http://www.oasis-open.org/apps/org/workgroup/ws-sx/download >> > .php/17889/ws-securitypolicy-1.2-spec-ed-01-r06.pdf > >> Martin Gudgin wrote: >> >>> I've now had chance to spend some time looking at this. >>> >> Given the policy >> >>> below I would expect the following; >>> >>> 1. the request message would be signed with the initiator's private >>> key and encrypted with a key derived from a symmetric key that is >>> encrypted with the recipient's public key. >>> 2. the response message would be signed with the recipient's >>> private key and encrypted with a key derived from a >>> >> symmetric key that >> >>> is encrypted with the initiator's public key. >>> >>> In both cases how the key is derived will be specified in the >>> wsc:DerivedKeyToken in the message. >>> >>> Cheers >>> >>> Gudge >>> >>> >>> >>>> -----Original Message----- >>>> From: K.Venugopal@Sun.COM [mailto:K.Venugopal@Sun.COM] >>>> Sent: 11 April 2006 10:42 >>>> To: Paul Cotton >>>> Cc: ws-sx@lists.oasis-open.org >>>> Subject: Re: [ws-sx] Issue 55: Clarification on >>>> RequireDerivedKeys and X509Token under AsymmetricBinding >>>> >>>> Hi Paul, >>>> >>>> Sorry for the delayed response , please see inline >>>> >>>> Paul Cotton wrote: >>>> >>>> >>>>> From today's F2F draft minutes: >>>>> >>>>> === >>>>> i055 Clarification on RequireDerivedKeys and X509Token under >>>>> AsymmetricBinding >>>>> http://lists.oasis-open.org/archives/ws-sx/200603/msg00121.html >>>>> >>>>> The TC discussed this issue but it was not clear what use >>>>> >>>>> >>>> the case that >>>> >>>> >>>>> K. Venugopal was discussing. The TC would like him to >>>>> >>>>> >>>> better explain >>>> >>>> >>>>> his use case so that we can understand the issue. >>>>> == >>>>> >>>>> Please clarify your use case and/or restate your questions >>>>> >>>>> >>>> since the TC >>>> >>>> >>>>> does not yet understand your questions. >>>>> >>>>> >>>>> >>>>> >>>> <deleted/> >>>> In context to my previous mail let me know if this helps. >>>> >>>> If I have a policy like shown below , I would like to >>>> >> know how the >> >>>> message is secured. How are the keys derived. >>>> >>>> <sp:AsymmetricBinding >>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> >>>> <wsp:Policy> >>>> <sp:InitiatorToken> >>>> <wsp:Policy> >>>> <sp:X509Token >>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securit >>>> ypolicy/IncludeToken/AlwaysToRecipient"> >>>> <wsp:Policy> >>>> <sp:WssX509V3Token10 /> >>>> <sp:RequireDerivedKeys/> >>>> </wsp:Policy> >>>> </sp:X509Token> >>>> </wsp:Policy> >>>> </sp:InitiatorToken> >>>> >>>> <sp:RecipientToken> >>>> <wsp:Policy> >>>> <sp:X509Token >>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securit >>>> ypolicy/IncludeToken/Never"> >>>> <wsp:Policy> >>>> <sp:WssX509V3Token10 /> >>>> <sp:RequireDerivedKeys/> >>>> </wsp:Policy> >>>> </sp:X509Token> >>>> </wsp:Policy> >>>> </sp:RecipientToken> >>>> >>>> <sp:AlgorithmSuite> >>>> <wsp:Policy> >>>> <sp:Basic256 /> >>>> </wsp:Policy> >>>> </sp:AlgorithmSuite> >>>> >>>> <sp:Layout> >>>> <wsp:Policy> >>>> <sp:Lax /> >>>> </wsp:Policy> >>>> </sp:Layout> >>>> >>>> <sp:IncludeTimestamp /> >>>> >>>> <sp:OnlySignEntireHeadersAndBody /> >>>> </wsp:Policy> >>>> </sp:AsymmetricBinding> >>>> >>>> Thank You, >>>> Venu >>>> >>>> >>>> >>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]