| |
Comment: |
Note from Takuya Mori
Apr. 5, 2005
Note: Key infomation exchange for message level security (V0.2)
Frank Siebenlist, Samuel Meder and Takuya Mori
0. Introduction
This document is to define key information exchange for message level
security by using the Matadata element in the EndpointReference which
is defined in the latest WS-Addressing draft specification.
This document is intended to serve as a base input for the basic
profile discussion.
1. Use cases
The followings are use cases that the profiles specified in the
document intend to cover.
- When a client wants to send any encrypted message to a service, it
will have to know the key associated with that service.
- When a client wants to make a policy decision whether or not it
wants a certain service to serve its request, it has to know the
service's key-info.
2. Namespaces
This note uses the following namespaces to define the profile.
prefix Namespece URI (Specification)
wsa: http://www.w3.org/2005/03/addressing
ds: http://www.w3.org/2000/09/xmldsig#
(XML-Signature Syntax and Processing)
wsse: http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-secext-1.0.xsd
(Web Services Security v1.0)
ogsa-bp: a Namespace URI for the Basic Profile 1.0 document
(OGSA Basic Profile 1.0)
And this note also uses the following entity references to ease
the description of the URIs.
&wsse; the Namespace URI for Web Services Security v1.0
&ogsabp; the Namespace URI for OGSA Basic Profile 1.0
3. Example
The following shows an example which the profile is intended to
define.
(001) <wsa:EndpointReference>
(002) <wsa:Address>http://www.globus.org/some/path</wsa:Address>;
(003) <wsa:Metadata>
(004) <ogsabp:EndpointKeyInfo>
(005) <wsse:SecurityTokenReference
ogsabp:KeyUsage="&ogsabp;#signature">
(006) <wsse:Reference URI="#token1"/>
(007) </wsse:SecurityTokenReference>
(008) <wsse:SecurityTokenReference
(009) ogsabp:KeyUsage="&ogsabp;#encryption">
(010) <wsse:Embedded>
(011) <wsse:BinarySecurityToken
ValueType="&wsse;X509PKIpathv1">
(012) MIIC.....
(013) </wsse:BinarySecurityToken>
(014) </wsse:Embedded>
(015) </wsse:SecurityTokenReference>
(016) </ogsabp:EndpointKeyInfo>
(017) </wsa:Metadata>
(018) </wsa:EndpointReference>
(001)-(018) An example wsa:EndointReference
(004)-(016) An example of ogsabp:EndpointKeyInfo elment is shown.
The actual key information contained in the
ogsabp:EndpointKeyInfo element is bound to the endpoint
specified by the enclosing wsa:EndpointReference.
(005)-(007) An example of actual key information is shown. The key is
expressed by using wsse:SecurityTokenReference and the
ogsabp:KeyUsage attribute shows that the key shoud be used
for signature. The key data is referenced by the same
document referece, "#token1".
(008)-(015) Another example of key information is shown. The key is
also expressed by using wsse:SecurityTokenReference, but
the actual key data is embbeded in the element as a
wsse:BinarySecurityToken in wsse:Embedded. And the usage
of the key is specified as encryption by the
ogsabp:KeyUsage attribute.
4. Infoset
The following is the definitions of the infosets refered to in this
note.
- /wsa:EndpointReference/wsa:Metadata
WS-Addressing defines optional wsa:Metadata element which is used to
hold metadata that is relevant to the interaction with the endpoint.
- /wsa:EndpointReference/wsa:Metadata/osgabp:EndpointKeyInfo/
The ogsabp:EndpointKeyInfo is defined as a ds:KeyInfoType which is
defined in the XML-Signture specification to contain generic key
information. In this profile, the element is used to specify a key
information which should be used to interact with the endpoint.
- /wsa:EndpointReference/wsa:Metadata/ogsabp:EndpointKeyInfo/
wsse:SecurityTokenReference
Although the XML-Signature specification defines various types of
elements which are intended to be used as a child element of
ds:KeyInfoType element and the specification also allows the
ds:KeyInfoType element to have arbitary types of elements in its
content, this profile mandates the use of
wsse:SecurityTokenReference element under the ogsabp:EndpointKeyInfo
element.
- /wsa:EndpointReference/wsa:Metadata/ogsabp:EndpointKeyInfo/
wsse:SecurityTokenReference/@ogsabp:KeyUsage
This profile defines an optional attribute, @ogsabp:KeyUsage, to
specify the usage of the key referenced by the
wsse:SecurityTokenReference. The value of the @ogsabp:KeyUsage
should be one of the followings:
Value Usage
&ogsabp;#encryption Encryption key needed to interact with the
endpoint.
&ogsabp;#signature Signature key needed to interact with the
endpoint.
5. Schema
The following schema fragment defines ogsabp:EndpointReferenceType
element and ogsabp:KeyUsage attribute defined in this profile.
----
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ogsabp="&ogsabp;"
targetNamespace="&ogsabp;">
<!-- definition f the EndpointKeyInfo element -->
<xs:element name="EndpointKeyInfo" type="ds:KeyInfoType"/>
<!-- definition of the KeyUsage Attribute -->
<xs:attribute name="KeyUsage" type="xs:anyURI"/>
</xs:schema>
----
6. Interoperability
To ensure the interoperability, a wsse:SecurityTokenReference element
MUST comform to the requirements defined in the section 4.2
of the WS-I Basic Profile 1.0 document (SecurityTokenReferences).
To ensure the interoperability, if the wsse:BinarySecurityToken
refers to or embeds an X509 Certificate, the wsse:BinarySecurityToken
MUST comform to the requirements defined in the chapter 6 of the
WS-I Basic Profile 1.0 document (X509 Certificate Token Profile).
7. Reference
WS-Addressing
Web Services Addressing 1.0 - Core
http://www.w3.org/TR/2005/WD-ws-addr-core-20050331/
XML-Signature
XML-Signature Syntax and Processing,
http://www.w3.org/TR/xmldsig-core/
Web Service Security
http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-soap-message-security-1.0.pdf
WS-I Basic Security Profile
WS-I Basic Security Profile Working Groupd Draft
http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html
End of Note
----
|
