[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ws-sx] Encryption with a key known to both parties
Hi Ruchith,
Let me take a crack at this referencing the WS-SecurityPolicy Examples
document that is currently under review in the ws-sx TC:
http://www.oasis-open.org/committees/download.php/26176/ws-sp-usecases-examples-draft-17-07.doc
In section 2.2.2 of that documented is a use case called "(WSS1.0) Mutual
Authentication with X.509 Certificates, Sign, Encrypt", which I think fairly
closely matches the use case you are referring to, with one exception, that
I will try to explain.
First of all the use case #4 from the interop doc you ref should be
considered
an "AsymmetricBinding" because the protection is primarily from the
initiator
and recipient X.509 certificates which are used to sign the Body in both the
request and response. In addition, the example 2.2.2 shows that the
initiator
should include the X.509 cert (line 1373 (P008)), but the recipient
should not
(line 1383 (P017)), which also matches the interop use case #4.
Use case 2.2.2 also in its input and output policies (lines 1415 (P047) -
1439 (P070)) matches the use case #4 by requiring the Body to be
encrypted (lines 1422(P054), 1435(P066)).
The only thing that is not explicitly covered is that there is an out of
band
mutually agreed upon session key (<xenc:KeyName>SessionKey</xenc:Keyname>)
in the use case #4.
Because this is a non-standard key and reference mechanism there is
no WS-SP Token Type to refer to it. However, one might consider
it an "IssuedToken" where the "Issuer" is whatever mutually agreed
upon entity produced this token. In this case you might consider
adding a SupportingTokens element to the Policy after the
end of the AsymmetricBinding element between lines 1399(P038)
and 1400 (P039) such as:
<sp:SupportingTokens>
<wsp:Policy>
<sp:IssuedToken>
<sp:Issuer>SomeMutuallyAgreedURL</sp:Issuer>
<sp:RequireExternalReference/>
</sp:IssuedToken>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
</wsp:Policy>
</sp:SupportingTokens>
I believe the RequireExternalReference can be taken to mean
that the token used to encrypt the Body is going to be identified
by some reference mechanism (the mutually agreed on key name).
In the above example the Issuer element would be primarily used
so that both parties understand the context to interpret the
external reference.
Hopefully this is helpful.
Thanks,
Rich Levinson
Ruchith Fernando wrote:
> Hi Folks,
>
> Is it possible to express "Scenario #4 Session Key" (the client and the
> service uses a random symmetric key that has been previously agreed)
> described in this [1] document with WS-SecurityPolicy?
>
> I guess we should use SymmetricBinding but how can we express the
> Protection/EncryptionToken?
>
> Thanks,
> Ruchith
>
> 1.
> http://svn.apache.org/repos/asf/webservices/wss4j/trunk/specs/wss-interop2-draft-06.pdf
>
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]