[ogsa-wg] OGSA Basic Profile Telecon Agenda 4/6

Takuya Mori mori at mcs.anl.gov
Tue Apr 5 21:04:22 CDT 2005 

Dear All,

The following is a material for a discussion for the action item 
1321.

Regards,
Takuya Mori

From: Tom Maguire <tmaguire at us.ibm.com>
Subject: [ogsa-wg] OGSA Basic Profile Telecon Agenda 4/6
Date: Tue, 5 Apr 2005 14:49:17 -0500

> The following is a proposed agenda for OGSA-WG telecon on April 6th
> Wednesday from noon to 2pm (CDT) 1PM-3PM (EDT).
> 
> The dial-in number for Wednesday;
>   Free: +1-800-664-6895
>   Toll: +1-719-955-1126
>   passcode: 285178
    :: 
> 3) Review AIs
> Action 1321: Frank & Sam to come up with text and schema for 1321

----
                                                           Apr. 5, 2005

Note:  Key infomation exchange for message level security

             Frank Siebenlist, Samuel Meder and Takuya Mori

0. Introduction
  This document is to define key information exchange for message level
  security by using the Matadata element in the EndpointReference which 
  is defined in the latest WS-Agreement draft specification.  

  This document is intended to serve as a base input for the basic 
  profile discussion.

1. Use cases
  The followings are use cases that the profile specified in the 
  document intends to cover.

  - When a client wants to send any encrypted message to a service, it 
    will have to know the key associated with that service.

  - When a client wants to make a policy decision whether or not it 
    wants a certain service to serve its request, it has to know the 
    service's key-info.

2. Namespaces
  This note uses the following namespaces to define the profile.

  prefix   Namespece URI (Specification)
  ds:      http://www.w3.org/2000/09/xmldsig#
           (XML-Signature Syntax and Processing)
  wsse:    http://docs.oasis-open.org/wss/2004/01/
                          oasis-200401-wss-wssecurity-secext-1.0.xsd
           (Web Services Security v1.0)
  ogsa-bp: a Namespace URI for the Basic Profile 1.0 document
           (OGSA Basic Profile 1.0) 

  And this note also uses the following entity references to ease 
  the description of the URIs.

  &wsse;   the Namespace URI for Web Services Security v1.0
  &ogsabp; the Namespace URI for OGSA Basic Profile 1.0

3. Example
  The following shows an example which the profile is intended to 
  define.

  (001) <wsa:EndpointReference>
  (002)   <wsa:Address>http://www.globus.org/some/path</wsa:Address>
  (003)   <wsa:Metadata>
  (004)     <ogsabp:EndpointKeyInfo>
  (005)       <wsse:SecurityTokenReference 
                ogsabp:KeyUsage="&ogsabp;#signature">
  (006)         <wsse:Reference URI="#token1"/>
  (007)       </wsse:SecurityTokenReference>
  (008)       <wsse:SecurityTokenReference
  (009)         ogsabp:KeyUsage="&ogsabp;#encryption">
  (010)         <wsse:Embedded>
  (011)           <wsse:BinarySecurityToken 
                                    ValueType="&wsse;X509PKIpathv1">
  (012)             MIIC.....
  (013)           </wsse:BinarySecurityToken>
  (014)         </wsse:Embedded>
  (015)       </wsse:SecurityTokenReference>
  (016)     </ogsabp:EndpointKeyInfo>
  (017)   </wsa:Metadata>
  (018) </wsa:EndpointReference>

(001)-(018) An example wsa:EndointReference
(004)-(016) An example of ogsabp:EndpointKeyInfo elment is shown.  
            The actual key information contained in the 
            ogsabp:EndpointKeyInfo element is bound to the endpoint 
            specified by the enclosing wsa:EndpointReference.
(005)-(007) An example of actual key information is shown.  The key is
            expressed by using wsse:SecurityTokenReference and the
            ogsabp:KeyUsage attribute shows that the key shoud be used 
            for signature.  The key data is referenced by the same
            document referece, "#token1".
(008)-(015) Another example of key information is shown.  The key is 
            also expressed by using wsse:SecurityTokenReference, but
            the actual key data is embbeded in the element as a 
            wsse:BinarySecurityToken in wsse:Embedded.  And the usage 
            of the key is specified as encryption by the
            ogsabp:KeyUsage attribute.

4. Infoset
  The following is the definitions of the infosets refered to in this
  note.

- /wsa:EndpointReference/wsa:Metadata
  WS-Addressing defines optional wsa:Metadata element which is used to
  hold metadata that is relevant to the interaction with the endpoint.

- /wsa:EndpointReference/wsa:Metadata/osgabp:EndpointKeyInfo/
  The ogsabpEndpointKeyInfo is defined as a ds:KeyInfoType which is
  defined in the XML-Signture specification to contain generic key 
  information.  In this profile, the element is used to specify a key 
  information which should be used to interact with the endpoint.

- /wsa:EndpointReference/wsa:Metadata/ogsabp:EndpointKeyInfo/
  wsse:SecurityTokenReference
  Although the XML-Signature specification defines various types of 
  elements which are intended to be used as a child element of 
  ds:KeyInfoType element and the specification also allows the 
  ds:KeyInfoType element to have arbitary types of elements in its
  content, this profile mandates the use of 
  wsse:SecurityTokenReference element under the ogsabp:EndpointKeyInfo
  element.
  
- /wsa:EndpointReference/wsa:Metadata/ogsabp:EndpointKeyInfo/
  wsse:SecurityTokenReference/@ogsabp:KeyUsage
  This profile defines an optional attribute, @ogsabp:KeyUsage, to 
  specify the usage of the key referenced by the 
  wsse:SecurityTokenReference.  The value of the @ogsabp:KeyUsage
  should be one of the followings:

    Value                Usage
    &ogsabp;#encryption  Encryption key needed to interact with the 
                         endpoint.
    &ogsabp;#signature   Signature key needed to interact with the
                         endpoint. 

5. Schema
  The following schema fragment defines ogsabp:EndpointReferenceType 
  element and ogsabp:KeyUsage attribute defined in this profile.

  ----
  <?xml version="1.0" encoding="UTF-8"?>
  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" 
    xmlns:ogsabp="&ogsabp;" 
    targetNamespace="&ogsabp;">

      <!-- definition f the EndpointKeyInfo element -->
      <xs:element name="EndpointKeyInfo" type="ds:KeyInfoType"/>

      <!-- definition of the KeyUsage Attribute -->
      <xs:attribute name="KeyUsage" type="xs:anyURI"/>

  </xs:schema>
  ----
     
6. Interoperability
  To ensure the interoperability, a wsse:SecurityTokenReference element
  MUST comform to the requirements defined in the section 4.2
  of the WS-I Basic Profile 1.0 document (SecurityTokenReferences).

  To ensure the interoperability, if the wsse:BinarySecurityToken 
  refers to or embeds an X509 Certificate, the wsse:BinarySecurityToken
  MUST comform to the requirements defined in the chapter 6 of the
  WS-I Basic Profile 1.0 document (X509 Certificate Token Profile).

7. Reference
  XML-Signature
     XML-Signature Syntax and Processing, 
     http://www.w3.org/TR/xmldsig-core/

  Web Service Security
     http://docs.oasis-open.org/wss/2004/01/
     oasis-200401-wss-soap-message-security-1.0.pdf

  WS-I Basic Security Profile 
     WS-I Basic Security Profile Working Groupd Draft
     http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html

End of Note
----

More information about the ogsa-wg mailing list