OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [wss] Web Services Security Username Token Profile

Phil, thanks for you comments.  I have replied to some of them below.

- Gene -

> -----Original Message-----
> From: Phillip H. Griffin [mailto:phil.griffin@asn-1.com] 
> Sent: Wednesday, January 29, 2003 5:38 PM
> Subject: RE: [wss] Web Services Security Username Token Profile
> Gene Thurston wrote:
> > Thanks for the comments, Zahid.
> >
> > I agree that in practice SSL/TLS can, and will often (usually?), be
> > to provide these capabilities.  I still believe, however, that we
> > address cases where transport level security is either not an
option, or
> > for some other reason (application specific, perhaps) is not being
> >
> > On the XML Signature spec, the use of other algorithms will not
> > our compliance with the standard.  While the spec does define
> > identifiers for the DSA and RSA algorithms, it is intended to be
> > extensible: "... the mechanism is extensible; alternative algorithms
> > be used by signature applications."  This is analogous to the
> > in the <ds:KeyInfo> element, or the definition of Transform URIs,
> > of which we are currently planning to use for
> >  
> >
> Taking a look at the certificates shipped with my browser, it's would
> seem that RSA is dominant, not DSA. And PBE has long been a
> feature of the landscape.
> I guess I'd prefer to see RSA with SHA-1 required and RSA with MD5
> allowed. I don't think making DSA a requirement is particularly
> just some politics. But generally, I'd rather support extensibility
and let
> the market decide. Different communities will have different

If you are thinking that I am proposing we make certain public/private
signature algorithms REQUIRED or OPTIONAL or anything like that, they
misunderstood what I was saying.  It is the "XML Signature Syntax and 
Processing" specification (which was ratified as a standard by both the
and the IETF in February and March of 2002) that has defined
of DSA with SHA-1 as REQUIRED, and RSA with SHA-1 as optional.  These
the only two signature algorithms that have URI identifiers defined for 
them in that specification.  However, the spec does state that other 
algorithms CAN be used.  Therefore, since WS-Security is based on the
Signature spec, we cannot change the algorithm URI identifiers, but we
certainly create new identifiers for other algorithms.  Then, if we go
route, we could claim that these algorithms MUST be supported to be
compliant with our Username Token Profile.  

Of course, DSA and RSA are both public/private key signature algorithms,

which won't work with any Password Based Encryption scheme I know of ...

typically, PBE schemes are based on generating a symmetric key (like a 
triple-DES key, for instance) from a password.

> > I actually have no problem with your idea of keeping the existing
> > Username token profile (using nonce, creation timestame, digests,
> > and perhaps adding a second Username profile which would provide the
> > binding with the message.  This was, in fact, where my thinking was
> > headed, as well.
> >  
> >
> I'd prefer to keep this all in one document rather than grow more and
> more variations. And for me, adding a biometric template as an
> parameter to a user name and password is merely a wrinkle to the
> current work, not something that's worthy of a separate document.

I appologize for not having followed the biometric work closely. I guess
I don't quite understand what a "biometric template" is, nor what the 
ramifications of including it in a Username token are, so I probably
should not comment on it.  However, I'm stupid enough to try, anyway, so
please be gentle on me if I'm WAY off base.

So, my guess is that a biometric template would manifest itself as some 
string of bytes (probably Base64 encoded) that would be interpretted as 
a retina scan, finger print, or such by the receiver of them.  I see two

options for including this data.

(1) If you merely propose to add that as an additional piece of evidence

    along with a password (or equivalent), then I don't see much of a 
    problem with that. We could certainly create another optional
    (say, <wsse:BiometricTemplate>) under the <wsse:UsernameToken> 
    element, to hold this data.  We might also define a "BiometricType" 
    attribute for it and define a couple of URIs to represent the 
    standard biometrics, whatever those are. (Of course, leaving it open
    as an extensibility point for new, yet undefined, biometrics.) This 
    attribute would give processors the needed information on how to 
    "match" against the data. If we don't do that, then a client might 
    send a retina scan to a service that tries to match it against a 
    fingerprint, right?

(2) Another alternative would be to use the biometric template INSTEAD 
    of a password. If we took this route, then I would recommend we 
    simply define a new "Type" for the <wsse:Password> element (say, 
    wsse:PasswordBiometric) that means the data held in the
    element is a biometric, and that the receiver needs to "match" it 
    against a known biometric for the user named in the <wsse:Username> 
    element. (We would still have to deal with the different types of 
    biometrics, though.) As for "matching" of biometric data, I suspect 
    (big guess here) that the bytes do not need to be IDENTICAL, but 
    rather each kind of biometric has some "matching" algorithm that 
    produces a "close enough" sort of response. (Is this right?) If that

    is true, then two things come to mind. First, we could not use the 
    digest mechanism to avoid sending the biometric in the clear like we

    do with passwords, since that depends on both the sender and the 
    receiver having IDENTICAL bytes to start with.  Second, for the same

    reason, a PBE scheme could not be used. This is fine, it just means 
    that we need to clearly point these things out in the Security 
    Considerations or Threat Model sections, if one chooses to use that 

> > I do think, however, that we need to point out the security issues
> > the Threat Model, and at least state that secure transports can
> > alleviate these concerns.  (But, then again, if you are using a
> > transport, why bother doing anything more than sending the password
> > clear text?)
> >  
> >
> In a simple case this might be fine. But I can see a case for sending
> encrypted password to a recipient who forwarded the value on to a
> trusted authority that determined whether or not it was valid. A
> - bank - customer transaction might need to do that, or a mobile
> hooking up a customer to a merchant and bank could lead to this sort
> case.

Yes, I can see that.  The idea of a trust-broker.  Not direct trust
between the sender and receiver, but use of an agreed upon third party.

> But my biggest concern right now is process. How do we move the
> Username document forward without excessive delay or impacting the
> Core work? Seems to me we need a SC to go off and do the work
> on this document, then bring it back and try to sell the result to WSS
> proper.

Yes, I wonder the same thing w.r.t. *all* of the token profile docs.
I think Phil mentioned that nobody had given him comments on his XrML,
X.509 docs, either.  Perhaps sub-committees is the way to go.

> Phil
> Thanks, again,
> - Gene -
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC