This is a static archive of the previous Open Grid Forum GridForge content management system saved from host forge.ogf.org file /sf/sfmain/do/go/artf5946?nav=1&selectedTab=comments at Sun, 06 Nov 2022 09:05:55 GMT SourceForge : artf5946: a problem with the wording of C0701
Home Projects Search
User Password Logins Disabled Help

Project Home
Tracker
Documents
Tasks
Source Code
Discussions
File Releases
Wiki
Project Admin
Glance
Calendar
Search Tracker
Project: OGSA-WG     Trackers > Attic > View Artifact
Artifact artf5946 : a problem with the wording of C0701
Tracker: Attic
Title: a problem with the wording of C0701
Description: 
Section 7: I still have a problem with the wording here. Stating in C0701 that “UsernameToken credentials SHOULD NOT be
 used for message authentication..”, and then having Section 7.2 explain how to indicate they should be used for 
message level client authentication, seems  contradictory. C0701 also says username tokens “are not cryptographically 
verifiable.”. Of course, if one uses password digest (with nonce & timestamp) one can get cryptographically strong verification the sender knew the password and the token wasn’t pasted in from some other message. Was your intent in C0701 to warn people that username tokens should be used with caution since they: 1)  don’t provide a basis for ensuring overall message integrity; 2) the binding between the token and message is weak
? Perhaps just remove C0701 since it’s the only numbered security consideration in the document and the requirements in
 Section 4.2 already ensure it can’t be used unless you’re using secure transport.

by Blair Dillaway
Submitted By: Hiro Kishimoto
Submitted On: 07/08/2007 10:14 AM EDT
Last Modified: 11/12/2007 10:31 PM EST
Closed: 09/01/2007 9:52 PM EDT

Status / Comments Change Log Associations Attachments  
Status  
Group: *
Status:* Closed
Category: * SP - Secure Soap
Customer: *
Priority: * 3
Assigned To: * Duane Merrill
Reported in Release: *
Fixed in Release: *
Estimated Hours: * 0
Actual Hours: * 0
Comments
Andreas Savva: 11/12/2007 10:31 PM EST
  Action: Update
Category set to SP - Secure Soap
Andreas Savva: 11/12/2007 10:30 PM EST
  Action: Move
Moved from tracker1648 to Attic
Hiro Kishimoto: 09/01/2007 9:52 PM EDT
  Comment: 
checked.
  Action: Update
Closed set to 09/01/2007
Status changed from Resolved to Closed
Duane Merrill: 07/27/2007 11:37 AM EDT
  Comment: 
You are correct, digests help in the case where transport security isn't strong enough to provide confidentiality.  The warnings should be, as you 
mention:

- Weak binding to the message 
- Susceptible to guessing attacks

However, I'm fine with just removing the warning.  (Which I've done.)
  Action: Update
Status changed from Open to Resolved
Hiro Kishimoto: 07/08/2007 10:14 AM EDT
  Action: Create


 
Return
 
 
< Previous
 
 
Next >
 

The Open Grid Forum Contact Webmaster | Report a problem | GridForge Help
This is a static archive of the previous Open Grid Forum GridForge content management system saved from host forge.ogf.org file /sf/sfmain/do/go/artf5946?nav=1&selectedTab=comments at Sun, 06 Nov 2022 09:05:55 GMT