OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] HMAC Key Derivation in UsernameToken Profile Issue


I agree. Something should be mentioned about key derivation.

Section 7.1 of the core spec says about <wsse:SecurityTokenReference>
element as follows and our current discussion is about this case:
| This element can be used as a direct child of <ds:KeyInfo> to
| indicate a hint to retrieve the key information from a security
| token placed somewhere else.

So, how about including sentenses such as:
  When a UsernameToken is referenced from <ds:KeyInfo> element,
  it can be used to derive a key. The detail will be specified
  (Please give us better English wording!)
in Section 3.2 of UsernameToken profile?

Now, I wonder about other tokens:
  When SAML Token is references from <ds:KeyInfo>, what does it mean?
  Should we say something about it in SAML Token profile?


At Fri, 09 Jan 2004 10:43:12 -0800,
Blake Dournaee wrote:
> All,
> This comment by Srinivas echoes my sentiments exactly. We should say
> something about key derivation for the Username Profile, even if it is
> to say that it is specified elsewhere. Not all developers may be
> familiar with the WS-I BSP at first and this issue is a major
> interoperability stumbling block if left open.
> Blake Dournaee
> Senior Security Architect
> Sarvega, Inc.
> http://www.sarvega.com/
> -----Original Message-----
> From: Srinivas, Davanum M [mailto:Davanum.Srinivas@ca.com] 
> Sent: Friday, January 09, 2004 5:05 AM
> To: Anthony Nadalin; wss@lists.oasis-open.org
> Subject: RE: [wss] HMAC Key Derivation in UsernameToken Profile Issue
> Anthony, Team,
> My 2 cents...We should address this issue in WSS-TC as there is already
> a precedent (WSE 2.0 Tech Preview) and is one of the first stumbling
> blocks a customer would face when doing an interop. A customer will find
> that 2 toolkits claiming to support the same version of the WSS spec and
> profiles from OASIS will NOT work out of the box and the customer will
> find out that he needs to request information from the Vendors about not
> just WSS spec compliance, but also WS-I BSP compliance which will reduce
> the importance of this spec. 
> thanks,
> dims
> PS: FYI, i ran into this in may of last year, see attached email on how
> difficult it was to get details if the spec is not complete. 
>   _____  
> From: Anthony Nadalin [mailto:drsecure@us.ibm.com] 
> Sent: Thursday, January 08, 2004 9:12 PM
> To: wss@lists.oasis-open.org
> Subject: RE: [wss] HMAC Key Derivation in UsernameToken Profile Issue
> > What do others think? I still feel strongly that this issue is a bane
> on interoperability for the Username Token profile.
> It seems like this would be best handled by the WS-I BSP since there are
> many different mechanisms that could be used. Now is the prime time 
> to bring this up since we are in early phase of the BSP.
> Anthony Nadalin | work 512.436.9568 | cell 512.289.4122 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]