OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp-interop message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wsrp-interop] Protecting producer registrations


see my comments in tagged with <rj>

Mit freundlichen Gruessen / best regards,

        Richard Jacob
______________________________________________________
IBM Lab Boeblingen, Germany
Dept.8288, WebSphere Portal Server Development
Phone: ++49 7031 16-3469  -  Fax: ++49 7031 16-4888
Email: mailto:richard.jacob@de.ibm.com


Folks,
    During our last concall I asked what if anything is a consumer able
to do with regards to sharing or migrating a producer registration.  The
response on the phone was producers shouldn't use registrations contexts
to establish relationships with a particular consumer.  Rather a
registration context merely defines/establishes a scoping for portlets.

<rj> it's more than this. In addition it also contains technical and
perhaps business aspects of the relationship.
This can be the consumer name, methodGetSupported, consumer modes/window
states etc.
</rj>

 A consumer, in this case is a logical entity, it may be a single
physical entity or many physical entities.  Producers shouldn't try to
use any information it received with the registration call to restrict
which physical consumer it is valid to receive this context from.  It
was said that the management of that relationship is left up to lower
levels of the web services [security] protocol stack.

Since that call I have done some thinking about what was said  and don't
fully understand/disagree with the sentiment.  Basically I don't
understand how the producer implements the following common use case:

Use Case:
Producer wants to ensure that only authorized consumers can use a
specific registration.  I.e. a producer wants to make sure that the
registrationContext it receives is not only valid but came from a
consumer that was authorized to send it.  The peculiar thing here is
that set of authorized callers is defined by the consumer and is on a
per registration scope. In the simple case its just the consumer itself.

<rj>
Basically I think I understand what you're saying.
We should clearly distinguish the concepts here.
The RegContext is not an authentication method, rather then this it is an
identifier for the relationship.
Here we may run into further trouble if the context is shared between
various Consumers and the the Producer chooses to push registration state
back to the Consumer - but this is a side discussion.
Currently I can't see how a Producer can assure the set of authorized
callers, i.e. can make sure that a Consumer is allowed to pass the
regHandle it passes with the calls the way you are claiming it (if I
understood you correctly).
1. regHandles could be stolen/copied
2. Identifying on Consumers IP-Address? Bad idea, can be spoofed easily.
3. Identifying on Consumers MAC-Address? can also be spoofed.
4. using TPM - possible
5. using lower level authentication mechanisms? yes, this should be the way
to go (WS-Security tokens or SSL Client Certificates).
The question of control:
The Producer can of course verify if a passed regHandle is being allowed to
be sent from a distinct Consumer using well known authentication mechanisms
(like SSL/TLS).
However a Producer can not prevent that the identity is shared among
Consumers.
Typical example: ID/Password can be shared, no way to distinguish from the
Server side point of view.
Even certificates can be shared, the only thing a Producer can tell is: "is
the regHandle I received with that request valid given the received
certificate?".
Things might change with TPM, where certificates are bound to the hardware.
Or did I misunderstand you or miss something here?
</rj>

 However, when you consider other real world use cases it can encompass
a development consumer, a stage consumer, and a production consumer.  At
a high level I understand how lower layers of the web services stack
could be used to control the domain of all consumers that can talk to a
given producer.  However, I don't understand how, if its used
exclusively, it can be used to control the domain of specific consumers
for a specific registration.

<rj>
As said above it can't since the RegContext is an identifier rather then an
authentication mechanism.
</rj>
 And more specifically, how this could be
done without manual administration on the producer to set it up.  Can
someone write a high-level explanation of how this would work?
<rj>

I think this is a good question we haven't looked into yet.
In my opinion we are talking about two things here. Here I'm leaving safe
ground and need to look into security more deeply here, so please don't
beat me.
First we are talking about authentication.
The Producer must estabish some way to able to check which Consumer
(authenticated by any means like WS-Security or SSL) can pass what
regHandle.
This has to be done at the Producer side and will require administration
(like maintaining the certificates).
Second we talk about trust relationships.
The Producer trusts a Consumer (authenticated) and allows it to "pass
access rights" (perhaps not the correct term here) to another Consumer.
Imagine the following scenario:
1. Consumer A (authenticated) registers with Producer
2. Producer generates a regHandle and stores the regHandle-Consumer A
certificate relationship.
3. Producer trusts Consumer A or better the certicate issuer from
Consumer's A domain.
4. Consumer A's certifate issuer (could be the Consumer to make things
easy) provides certificates to Consumer B and C.
5. Consumer B (authenticated) accesses Producer with regHandle from A,
since the Producer trusts the certificates issued by Consumer A it allows B
to pass the regHandle from A.
However as said need to explore here far more deeply and see what is
already there.
</rj>

Ultimately, what I had expected to be the case was that the register
call is used to establish both the set or valid consumers and/or the
validation method for a given registration.
<rj>
Well this would be an extension, which for instance allows the consumer to
pass certificates.
This is the kind of trust I tried to describe above ommiting the existing
environments which are there.

</rj>
  In some[all?] cases the
validation method could rely on low layer web services [security]
mechanisms.  i.e. this registrationContext is only valid for a given
certificate [is this feasible?]. ....
<rj>
I think this is very feasible.
</rj>
Or are most folks in the camp
that any producer that wants to isolate / secure consumers to a given
registration will [always] require manual producer side administration
and therefore a level of out-of-band registration?
<rj>
Trust relationships/trust domains could solve our problems here.
</rj>

 I.e. A valid
position might be that WSRP doesn't want to deal with this -- any
producer that wants such function will have to rely on lower layer web
services and home grown [out-of-band] registration techniques.

<rj>
My position is that we should carefully explore the concepts we want to
have and verify them with security concepts that are already there.
I think we shouldn't try to bring up security solutions to the level of
wsrp, they should be handled in lower levels for us.
And in fact I think there are already there.
</rj>

FYI, the use case I am beginning to worry about is the develop, stage,
production environment portal developers typical design within/deploy
on.  In such an environment there is a need to migrate/share some
portlets [those that correspond to base, all user, configurations to the
stage and production environments.
    -Mike-


To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wsrp-interop/members/leave_workgroup.php
.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]