This is a static archive of the previous Open Grid Forum GridForge content management system saved from host forge.ogf.org file /sf/sfmain/do/go/artf5305?nav=1&selectedTab=comments at Sun, 06 Nov 2022 09:03:09 GMT SourceForge : artf5305: (1321) Discovery of key-info for encryption in message level security

Project Home

Tracker

Documents

Tasks

Source Code

Discussions

File Releases

Wiki

Project Admin

Glance

Calendar
Search Tracker
Project: OGSA-WG     Trackers > WSRF Basic Profile > View Artifact
Artifact artf5305 : (1321) Discovery of key-info for encryption in message level security
Tracker: WSRF Basic Profile
Title: (1321) Discovery of key-info for encryption in message level security
Description:
Service Group Profile/ EPR embedding.
Submitted By: Tom Maguire
Submitted On: 03/14/2005 3:21 AM EST
Last Modified: 06/30/2008 10:48 PM EDT
Closed: 06/10/2005 2:46 AM EST

Status / Comments Change Log Associations Attachments  
Status  
Group: *
Status:* Closed
Category: * Version 1.0
Customer: *
Priority: * 2
Assigned To: * Takuya Mori
Reported in Release: *
Fixed in Release: *
Estimated Hours: * 0
Actual Hours: * 0
Comments
Andreas Savva: 06/30/2008 10:48 PM EDT
  Comment:
Assigned category due to minor expected tweaks as a result of the experience document
  Action: Update
Category set to Version 1.0
Andreas Savva: 06/10/2005 2:46 AM EST
  Comment:
Confirmed in v017 (gridforge draft 11) that the Appendix D contains (a modified) version of the attached note.
  Action: Update
Andreas Savva: 06/10/2005 2:46 AM EST
  Action: Update
artifact_status changed from Fixed to Closed
close_date changed from - to 2005-06-10 16:46:17
Tom Maguire: 04/20/2005 2:50 PM EST
  Comment:
appendix added based on mailing list and telecon discussions
  Action: Update
Tom Maguire: 04/20/2005 2:50 PM EST
  Action: Update
artifact_status changed from Pending to Fixed
Tom Maguire: 04/06/2005 10:46 AM EST
  Comment:
Note from Takuya Mori  


                                                          Apr. 5, 2005

Note:  Key infomation exchange for message level security (V0.2)

             Frank Siebenlist, Samuel Meder and Takuya Mori

0. Introduction
  This document is to define key information exchange for message level
  security by using the Matadata element in the EndpointReference which 
  is defined in the latest WS-Addressing draft specification.  

  This document is intended to serve as a base input for the basic 
  profile discussion.

1. Use cases
  The followings are use cases that the profiles specified in the 
  document intend to cover.

  - When a client wants to send any encrypted message to a service, it 
    will have to know the key associated with that service.

  - When a client wants to make a policy decision whether or not it 
    wants a certain service to serve its request, it has to know the 
    service's key-info.

2. Namespaces
  This note uses the following namespaces to define the profile.

  prefix   Namespece URI (Specification)
  wsa:     http://www.w3.org/2005/03/addressing
  ds:      http://www.w3.org/2000/09/xmldsig#
           (XML-Signature Syntax and Processing)
  wsse:    http://docs.oasis-open.org/wss/2004/01/
                          oasis-200401-wss-wssecurity-secext-1.0.xsd
           (Web Services Security v1.0)
  ogsa-bp: a Namespace URI for the Basic Profile 1.0 document
           (OGSA Basic Profile 1.0) 

  And this note also uses the following entity references to ease 
  the description of the URIs.

  &wsse;   the Namespace URI for Web Services Security v1.0
  &ogsabp; the Namespace URI for OGSA Basic Profile 1.0

3. Example
  The following shows an example which the profile is intended to 
  define.

  (001) <wsa:EndpointReference>
  (002)   <wsa:Address>http://www.globus.org/some/path</wsa:Address>;
  (003)   <wsa:Metadata>
  (004)     <ogsabp:EndpointKeyInfo>
  (005)       <wsse:SecurityTokenReference 
                ogsabp:KeyUsage="&ogsabp;#signature">
  (006)         <wsse:Reference URI="#token1"/>
  (007)       </wsse:SecurityTokenReference>
  (008)       <wsse:SecurityTokenReference
  (009)         ogsabp:KeyUsage="&ogsabp;#encryption">
  (010)         <wsse:Embedded>
  (011)           <wsse:BinarySecurityToken 
                                    ValueType="&wsse;X509PKIpathv1">
  (012)             MIIC.....
  (013)           </wsse:BinarySecurityToken>
  (014)         </wsse:Embedded>
  (015)       </wsse:SecurityTokenReference>
  (016)     </ogsabp:EndpointKeyInfo>
  (017)   </wsa:Metadata>
  (018) </wsa:EndpointReference>

(001)-(018) An example wsa:EndointReference
(004)-(016) An example of ogsabp:EndpointKeyInfo elment is shown.  
            The actual key information contained in the 
            ogsabp:EndpointKeyInfo element is bound to the endpoint 
            specified by the enclosing wsa:EndpointReference.
(005)-(007) An example of actual key information is shown.  The key is
            expressed by using wsse:SecurityTokenReference and the
            ogsabp:KeyUsage attribute shows that the key shoud be used 
            for signature.  The key data is referenced by the same
            document referece, "#token1".
(008)-(015) Another example of key information is shown.  The key is 
            also expressed by using wsse:SecurityTokenReference, but
            the actual key data is embbeded in the element as a 
            wsse:BinarySecurityToken in wsse:Embedded.  And the usage 
            of the key is specified as encryption by the
            ogsabp:KeyUsage attribute.

4. Infoset
  The following is the definitions of the infosets refered to in this
  note.

- /wsa:EndpointReference/wsa:Metadata
  WS-Addressing defines optional wsa:Metadata element which is used to
  hold metadata that is relevant to the interaction with the endpoint.

- /wsa:EndpointReference/wsa:Metadata/osgabp:EndpointKeyInfo/
  The ogsabp:EndpointKeyInfo is defined as a ds:KeyInfoType which is
  defined in the XML-Signture specification to contain generic key 
  information.  In this profile, the element is used to specify a key 
  information which should be used to interact with the endpoint.

- /wsa:EndpointReference/wsa:Metadata/ogsabp:EndpointKeyInfo/
  wsse:SecurityTokenReference
  Although the XML-Signature specification defines various types of 
  elements which are intended to be used as a child element of 
  ds:KeyInfoType element and the specification also allows the 
  ds:KeyInfoType element to have arbitary types of elements in its
  content, this profile mandates the use of 
  wsse:SecurityTokenReference element under the ogsabp:EndpointKeyInfo
  element.
  
- /wsa:EndpointReference/wsa:Metadata/ogsabp:EndpointKeyInfo/
  wsse:SecurityTokenReference/@ogsabp:KeyUsage
  This profile defines an optional attribute, @ogsabp:KeyUsage, to 
  specify the usage of the key referenced by the 
  wsse:SecurityTokenReference.  The value of the @ogsabp:KeyUsage
  should be one of the followings:

    Value                Usage
    &ogsabp;#encryption  Encryption key needed to interact with the 
                         endpoint.
    &ogsabp;#signature   Signature key needed to interact with the
                         endpoint. 

5. Schema
  The following schema fragment defines ogsabp:EndpointReferenceType 
  element and ogsabp:KeyUsage attribute defined in this profile.

  ----
  <?xml version="1.0" encoding="UTF-8"?>
  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" 
    xmlns:ogsabp="&ogsabp;" 
    targetNamespace="&ogsabp;">

      <!-- definition f the EndpointKeyInfo element -->
      <xs:element name="EndpointKeyInfo" type="ds:KeyInfoType"/>

      <!-- definition of the KeyUsage Attribute -->
      <xs:attribute name="KeyUsage" type="xs:anyURI"/>

  </xs:schema>
  ----
     
6. Interoperability
  To ensure the interoperability, a wsse:SecurityTokenReference element
  MUST comform to the requirements defined in the section 4.2
  of the WS-I Basic Profile 1.0 document (SecurityTokenReferences).

  To ensure the interoperability, if the wsse:BinarySecurityToken 
  refers to or embeds an X509 Certificate, the wsse:BinarySecurityToken
  MUST comform to the requirements defined in the chapter 6 of the
  WS-I Basic Profile 1.0 document (X509 Certificate Token Profile).

7. Reference
  WS-Addressing 
     Web Services Addressing 1.0 - Core
     http://www.w3.org/TR/2005/WD-ws-addr-core-20050331/

  XML-Signature
     XML-Signature Syntax and Processing, 
     http://www.w3.org/TR/xmldsig-core/

  Web Service Security
     http://docs.oasis-open.org/wss/2004/01/
     oasis-200401-wss-soap-message-security-1.0.pdf

  WS-I Basic Security Profile 
     WS-I Basic Security Profile Working Groupd Draft
     http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html

End of Note
----
  Action: Update
Tom Maguire: 04/06/2005 10:46 AM EST
  Action: Update
assigned_to changed from 100 to 578
Priority changed from - to 2
Tom Maguire: 03/14/2005 3:21 AM EST
  Action: Update
artifact_status changed from Open to Pending
Tom Maguire: 03/14/2005 3:21 AM EST
  Action: Create


 
 
 
< Previous
 
 
Next >
 


The Open Grid Forum Contact Webmaster | Report a problem | GridForge Help
This is a static archive of the previous Open Grid Forum GridForge content management system saved from host forge.ogf.org file /sf/sfmain/do/go/artf5305?nav=1&selectedTab=comments at Sun, 06 Nov 2022 09:03:09 GMT