RE: [wsrp][security] minutes from 4.3 telecon

[Sasha Aickin <AlexanderA@plumtree.com>]

Thomas,

It sounds like you're advocating something that is conceptually similar
to a cookie in HTTP.  A consumer (an end user in the cookie case)
provides login credentials to the server and it gives the consumer back
a token by which it will recognize the consumer in the future.  This
makes a lot of sense to me in an end user interaction: you only want to
ask the user his/her password on the first request for sensitive
material.  However, it seems to me that there is nothing stopping a
machine to machine interaction like the portal-portlet call from sending
credentials on every call.  

Another way of stating this is: why doesn't the owner of the producer
hand the consumer ID to the owner of the consumer in step 0 in the
scenario you have below?  It seems just as secure as handing the owner
of the consumer a digital certificate that will result in giving them a
customer ID.

You may have meant that the consumer ID should have a shorter lifetime
than the digital certificate, and that a consumer ID could be
regenerated at any time with the digital certificate.  This way, the
producer could terminate a consumer binding at any time (just as a web
server can terminate a user's cookie-based session at any time).  If the
consumer's ID stopped working, the consumer would resend the digital
certificate and generate a new consumer ID.  The chief advantage to this
I would see is the potential ability to send the digital certificate
over a secure encrypted channel and other interactions over an unsecured
channel.  This is analogous to the way that many websites ask for your
password on an SSL page but have your browser send the session cookie
over cleartext.

What do you think?

Cheers,
Sasha.

-----Original Message-----
From: Thomas Schaeck [mailto:SCHAECK@de.ibm.com]
Sent: Sunday, April 07, 2002 7:21 AM
To: Cassidy, Mark
Cc: 'wsrp@lists.oasis-open.org'
Subject: Re: [wsrp][security] minutes from 4.3 telecon




Mark,

here are some more thoughts about the "security life cycle":

Establish Business Relation
-------------------------------

0. In order to prepare for the following steps to be executed
automatically
on the technical level and obtain a credential to be used in step 1.
below,
the owner of a consumer may for example contact the owner of the
producer,
sign a contract and as a result obtain a customer number and password
(low
security) or a customer number and digital certificate (high security).
For
free services, no credential at all might be required.

Establish (technical) Trust Relation
----------------------------------------

Pre: - The consumer and the producer are not bound, no trust relation
exists -

1. The consumer sends a message to the producer indicating that it wants
to
start using the service (bind operation).

Depending on the required level of security and trust, the consumer's
message may contain:
- No credential
- others inbetween ?
- an SSL client certificate and signature

2. The producer receives the first request from the consumer with the
contaned credential in the bind operation

The producer determines whether the credential(s) provided by the
consumer
are sufficient. If yes, the producer assigns a consumer ID and sends it
back to the consumer for later reference. Otherwise it indicates that
credentials are missing and information on how/where to obtain these
credentials (see 0).

3. The consumer persistently stores the assigned consumer ID and uses it
in
all subsequent requests to the producer from which it was obtained. The
consumer may not share the consumer ID with others.

Post: - The consumer and producer are bound, the consumer is known to
the
producer under the consumer ID -

Operation
---------

Pre: - The consumer and producer are bound, the consumer is known to the
producer under the consumer ID -

4. Using the consumer ID, the consumer can use the producer's
service(s).
The producer may use the consumer ID for access control, to manage
instances, for logging for auditing porposes,  or to do billing.

Post: - The consumer and producer are bound, the consumer is known to
the
producer under the consumer ID -

Destroy (technical) Trust Relation
--------------------------------------

Pre: - The consumer and producer are bound, the consumer is known to the
producer under the consumer ID -

5. a) The consumer terminates the relation with the producer by invoking
an
unbind operation providing its consumer ID and discarding the consumer
ID
        -> the producer discards all persistent and transient state
associated with the consumer's ID

5. b) The producer terminates the relation with the consumer, e.g. by
        - blocking access for the consumer's ID (allowing for later
reactivation)
        - discarding the consumer's ID and all associated persistent or
transient state (final termination of relation)

Post: - The consumer and the producer do not have a relation, no trust
relation exists -

The two primary types of credentials that come to mind are
- Public Key Certificates (which may be used in SSL/TLS client
authentication to the service with existing infrastructure)
- others inbetween ?
- Something like customer numbers in combination with a password (which
may
securely be used in connections protected through SSL/TLS connections
established with server authentication)

Best regards,

Thomas



"Cassidy, Mark" <mcassidy@Netegrity.com> on 04/05/2002 04:51:47 AM

Please respond to "Cassidy, Mark" <mcassidy@Netegrity.com>

To:    "'wsrp@lists.oasis-open.org'" <wsrp@lists.oasis-open.org>
cc:
Subject:    [wsrp][security] minutes from 4.3 telecon



Attached are the minutes from the 4.3 telecon.  Those on the call, let
me
know if any corrections are needed.

Mark.

 <<wsrp security minutes.4.3.htm>>






----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>