Re: [ogsa-wg] OGSA Basic Profile Telecon Agenda 4/6

6 Apr 2005

      Dear All,

I am resending our discussion material because I corrected a mistake 
which I made in the introduction.  And also I made some changes to
the document and added a version number to the title.

The changes are:
  1. The correction of mistake in chapter 0.
     WS-Agreement -> WS-Addressing
  2. Addition of XML-ns prefix definition for WS-Addressing in chapter
     2.
  3. Addition of a reference to the latest WS-Addressing specification
     in chapter 7.
  4. Some editorial changes.

Regards,
Takuya Mori

----
    Takuya Mori

From: Takuya Mori <mori@mcs.anl.gov>
Subject: Re: [ogsa-wg] OGSA Basic Profile Telecon Agenda 4/6
Date: Tue, 05 Apr 2005 21:04:22 -0500 (CDT)
...
Dear All,
The following is a material for a discussion for the action item 
1321.
Regards,
Takuya Mori
----
                                                           Apr. 5, 2005

Note:  Key infomation exchange for message level security (V0.2)

             Frank Siebenlist, Samuel Meder and Takuya Mori

0. Introduction
  This document is to define key information exchange for message level
  security by using the Matadata element in the EndpointReference which 
  is defined in the latest WS-Addressing draft specification.  

  This document is intended to serve as a base input for the basic 
  profile discussion.

1. Use cases
  The followings are use cases that the profiles specified in the 
  document intend to cover.

  - When a client wants to send any encrypted message to a service, it 
    will have to know the key associated with that service.

  - When a client wants to make a policy decision whether or not it 
    wants a certain service to serve its request, it has to know the 
    service's key-info.

2. Namespaces
  This note uses the following namespaces to define the profile.

  prefix   Namespece URI (Specification)
  wsa:     http://www.w3.org/2005/03/addressing
  ds:      http://www.w3.org/2000/09/xmldsig#
           (XML-Signature Syntax and Processing)
  wsse:    http://docs.oasis-open.org/wss/2004/01/
                          oasis-200401-wss-wssecurity-secext-1.0.xsd
           (Web Services Security v1.0)
  ogsa-bp: a Namespace URI for the Basic Profile 1.0 document
           (OGSA Basic Profile 1.0) 

  And this note also uses the following entity references to ease 
  the description of the URIs.

  &wsse;   the Namespace URI for Web Services Security v1.0
  &ogsabp; the Namespace URI for OGSA Basic Profile 1.0

3. Example
  The following shows an example which the profile is intended to 
  define.

  (001) <wsa:EndpointReference>
  (002)   <wsa:Address>http://www.globus.org/some/path</wsa:Address>
  (003)   <wsa:Metadata>
  (004)     <ogsabp:EndpointKeyInfo>
  (005)       <wsse:SecurityTokenReference 
                ogsabp:KeyUsage="&ogsabp;#signature">
  (006)         <wsse:Reference URI="#token1"/>
  (007)       </wsse:SecurityTokenReference>
  (008)       <wsse:SecurityTokenReference
  (009)         ogsabp:KeyUsage="&ogsabp;#encryption">
  (010)         <wsse:Embedded>
  (011)           <wsse:BinarySecurityToken 
                                    ValueType="&wsse;X509PKIpathv1">
  (012)             MIIC.....
  (013)           </wsse:BinarySecurityToken>
  (014)         </wsse:Embedded>
  (015)       </wsse:SecurityTokenReference>
  (016)     </ogsabp:EndpointKeyInfo>
  (017)   </wsa:Metadata>
  (018) </wsa:EndpointReference>

(001)-(018) An example wsa:EndointReference
(004)-(016) An example of ogsabp:EndpointKeyInfo elment is shown.  
            The actual key information contained in the 
            ogsabp:EndpointKeyInfo element is bound to the endpoint 
            specified by the enclosing wsa:EndpointReference.
(005)-(007) An example of actual key information is shown.  The key is
            expressed by using wsse:SecurityTokenReference and the
            ogsabp:KeyUsage attribute shows that the key shoud be used 
            for signature.  The key data is referenced by the same
            document referece, "#token1".
(008)-(015) Another example of key information is shown.  The key is 
            also expressed by using wsse:SecurityTokenReference, but
            the actual key data is embbeded in the element as a 
            wsse:BinarySecurityToken in wsse:Embedded.  And the usage 
            of the key is specified as encryption by the
            ogsabp:KeyUsage attribute.

4. Infoset
  The following is the definitions of the infosets refered to in this
  note.

- /wsa:EndpointReference/wsa:Metadata
  WS-Addressing defines optional wsa:Metadata element which is used to
  hold metadata that is relevant to the interaction with the endpoint.

- /wsa:EndpointReference/wsa:Metadata/osgabp:EndpointKeyInfo/
  The ogsabp:EndpointKeyInfo is defined as a ds:KeyInfoType which is
  defined in the XML-Signture specification to contain generic key 
  information.  In this profile, the element is used to specify a key 
  information which should be used to interact with the endpoint.

- /wsa:EndpointReference/wsa:Metadata/ogsabp:EndpointKeyInfo/
  wsse:SecurityTokenReference
  Although the XML-Signature specification defines various types of 
  elements which are intended to be used as a child element of 
  ds:KeyInfoType element and the specification also allows the 
  ds:KeyInfoType element to have arbitary types of elements in its
  content, this profile mandates the use of 
  wsse:SecurityTokenReference element under the ogsabp:EndpointKeyInfo
  element.

- /wsa:EndpointReference/wsa:Metadata/ogsabp:EndpointKeyInfo/
  wsse:SecurityTokenReference/@ogsabp:KeyUsage
  This profile defines an optional attribute, @ogsabp:KeyUsage, to 
  specify the usage of the key referenced by the 
  wsse:SecurityTokenReference.  The value of the @ogsabp:KeyUsage
  should be one of the followings:

    Value                Usage
    &ogsabp;#encryption  Encryption key needed to interact with the 
                         endpoint.
    &ogsabp;#signature   Signature key needed to interact with the
                         endpoint. 

5. Schema
  The following schema fragment defines ogsabp:EndpointReferenceType 
  element and ogsabp:KeyUsage attribute defined in this profile.

  ----
  <?xml version="1.0" encoding="UTF-8"?>
  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" 
    xmlns:ogsabp="&ogsabp;" 
    targetNamespace="&ogsabp;">

      <!-- definition f the EndpointKeyInfo element -->
      <xs:element name="EndpointKeyInfo" type="ds:KeyInfoType"/>

      <!-- definition of the KeyUsage Attribute -->
      <xs:attribute name="KeyUsage" type="xs:anyURI"/>

  </xs:schema>
  ----

6. Interoperability
  To ensure the interoperability, a wsse:SecurityTokenReference element
  MUST comform to the requirements defined in the section 4.2
  of the WS-I Basic Profile 1.0 document (SecurityTokenReferences).

  To ensure the interoperability, if the wsse:BinarySecurityToken 
  refers to or embeds an X509 Certificate, the wsse:BinarySecurityToken
  MUST comform to the requirements defined in the chapter 6 of the
  WS-I Basic Profile 1.0 document (X509 Certificate Token Profile).

7. Reference
  WS-Addressing 
     Web Services Addressing 1.0 - Core
     http://www.w3.org/TR/2005/WD-ws-addr-core-20050331/

  XML-Signature
     XML-Signature Syntax and Processing, 
     http://www.w3.org/TR/xmldsig-core/

  Web Service Security
     http://docs.oasis-open.org/wss/2004/01/
     oasis-200401-wss-soap-message-security-1.0.pdf

  WS-I Basic Security Profile 
     WS-I Basic Security Profile Working Groupd Draft
     http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html

End of Note
----