Re: [ws-sx] Issue 55: Clarification on RequireDerivedKeys andX509Token under AsymmetricBinding

[Venu <K.Venugopal@Sun.COM>]

Thank you Martin.

Regards,
Venu

Martin Gudgin wrote:
> But signatures are performed using asymmetric keys and there is text in
> section 5.2.1 of [1] that says 
>
> "Where the key material associated with a token is asymmetric, this
> property applies to the use of symmetric keys encrypted with the key
> material associated with the token."
>
> Gudge
>
>
> [1]
> http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/17889/ws
> -securitypolicy-1.2-spec-ed-01-r06.pdf 
>
>   
>> -----Original Message-----
>> From: K.Venugopal@Sun.COM [mailto:K.Venugopal@Sun.COM] 
>> Sent: 02 June 2006 06:01
>> To: Martin Gudgin
>> Cc: Paul Cotton; ws-sx@lists.oasis-open.org
>> Subject: Re: [ws-sx] Issue 55: Clarification on 
>> RequireDerivedKeys and X509Token under AsymmetricBinding
>>
>> Hi Martin.
>>
>> As per below mentioned description it would mean to ignore 
>> RequireDerivedKeys element incase of signatures. But as per section 
>> 5.2.1[1] it is a
>> MUST to use derived keys if the RequireDerivedKey element is present
>>
>> +++++Quoting from the 5.2.1 [1]++++++
>> This boolean property specifies whether derived keys should 
>> be used as 
>> defined in WS797
>> SecureConversation. If the value is 'true', derived keys MUST 
>> be used. 
>> If the value is 'false',
>> 798 derived keys MUST NOT be used. The value of this property 
>> applies to 
>> a specific token. The
>> 799 value of this property is populated by assertions specific to the 
>> token. The default value for
>> 800 this property is 'false'.
>>
>> ++++++++
>>
>> Regards
>> Venu
>>
>> [1]http://www.oasis-open.org/apps/org/workgroup/ws-sx/download
>>     
> .php/17889/ws-securitypolicy-1.2-spec-ed-01-r06.pdf
>   
>> Martin Gudgin wrote:
>>     
>>> I've now had chance to spend some time looking at this. 
>>>       
>> Given the policy
>>     
>>> below I would expect the following;
>>>
>>> 1.	the request message would be signed with the initiator's private
>>> key and encrypted with a key derived from a symmetric key that is
>>> encrypted with the recipient's public key. 
>>> 2.	the response message would be signed with the recipient's
>>> private key and encrypted with a key derived from a 
>>>       
>> symmetric key that
>>     
>>> is encrypted with the initiator's public key.
>>>
>>> In both cases how the key is derived will be specified in the
>>> wsc:DerivedKeyToken in the message.
>>>
>>> Cheers
>>>
>>> Gudge
>>>
>>>   
>>>       
>>>> -----Original Message-----
>>>> From: K.Venugopal@Sun.COM [mailto:K.Venugopal@Sun.COM] 
>>>> Sent: 11 April 2006 10:42
>>>> To: Paul Cotton
>>>> Cc: ws-sx@lists.oasis-open.org
>>>> Subject: Re: [ws-sx] Issue 55: Clarification on 
>>>> RequireDerivedKeys and X509Token under AsymmetricBinding
>>>>
>>>> Hi Paul,
>>>>
>>>> Sorry for the delayed response , please see inline
>>>>
>>>> Paul Cotton wrote:
>>>>     
>>>>         
>>>>> From today's F2F draft minutes:
>>>>>
>>>>> ===
>>>>> i055   Clarification on RequireDerivedKeys and X509Token under 
>>>>> AsymmetricBinding   
>>>>> http://lists.oasis-open.org/archives/ws-sx/200603/msg00121.html
>>>>>
>>>>> The TC discussed this issue but it was not clear what use 
>>>>>       
>>>>>           
>>>> the case that
>>>>     
>>>>         
>>>>> K. Venugopal was discussing.  The TC would like him to 
>>>>>       
>>>>>           
>>>> better explain
>>>>     
>>>>         
>>>>> his use case so that we can understand the issue.
>>>>> ==
>>>>>
>>>>> Please clarify your use case and/or restate your questions 
>>>>>       
>>>>>           
>>>> since the TC
>>>>     
>>>>         
>>>>> does not yet understand your questions.
>>>>>
>>>>>   
>>>>>       
>>>>>           
>>>> <deleted/>
>>>> In context  to my previous mail let me know if this helps.
>>>>
>>>> If I have a policy like shown below , I  would like to 
>>>>         
>> know how the 
>>     
>>>> message is secured. How are the keys derived.
>>>>
>>>> <sp:AsymmetricBinding 
>>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>>>>     <wsp:Policy>
>>>>         <sp:InitiatorToken>
>>>>             <wsp:Policy>
>>>>                 <sp:X509Token 
>>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securit
>>>> ypolicy/IncludeToken/AlwaysToRecipient">
>>>>                     <wsp:Policy>
>>>>                         <sp:WssX509V3Token10 />
>>>>                         <sp:RequireDerivedKeys/>
>>>>                     </wsp:Policy>
>>>>                 </sp:X509Token>
>>>>             </wsp:Policy>
>>>>         </sp:InitiatorToken>
>>>>
>>>>         <sp:RecipientToken>
>>>>             <wsp:Policy>
>>>>                 <sp:X509Token 
>>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securit
>>>> ypolicy/IncludeToken/Never">
>>>>                     <wsp:Policy>
>>>>                         <sp:WssX509V3Token10 />
>>>>                         <sp:RequireDerivedKeys/>
>>>>                     </wsp:Policy>
>>>>                 </sp:X509Token>
>>>>             </wsp:Policy>
>>>>         </sp:RecipientToken>
>>>>
>>>>         <sp:AlgorithmSuite>
>>>>             <wsp:Policy>
>>>>                 <sp:Basic256 />
>>>>             </wsp:Policy>
>>>>         </sp:AlgorithmSuite>
>>>>
>>>>         <sp:Layout>
>>>>             <wsp:Policy>
>>>>                 <sp:Lax />
>>>>             </wsp:Policy>
>>>>         </sp:Layout>
>>>>
>>>>         <sp:IncludeTimestamp />
>>>>
>>>>         <sp:OnlySignEntireHeadersAndBody />
>>>>     </wsp:Policy>
>>>> </sp:AsymmetricBinding>
>>>>
>>>> Thank You,
>>>> Venu
>>>>
>>>>     
>>>>         
>>