[ogsa-wg] Updated note for EPR/KeyInfo

13 Apr 2005

      Dear All,

Please find an updated note for the EPR/KeyInfo in the below.

The changes are:
  1. Changed to use wsse:Usage attribute instead defining our own
     ogsabp:KeyUsage for specifying the usage of the key-info.
  2. Added some text to the wsse:Usage attribute.
     - absence of the usage attribute.
     - inconsistency on the usage defined in the key-info data itself
  3. Some editorial changes.
  4. Changed the version number to V0.3.

Regards,
Takuya Mori

----
                                                          Apr. 13, 2005

Note:  Key infomation exchange for message level security (V0.3)

             Frank Siebenlist, Samuel Meder and Takuya Mori

0. Introduction
  This document is to define key information exchange for message level
  security by using the Matadata element in the EndpointReference which 
  is defined in the latest WS-Addressing draft specification.  

  This document is intended to serve as a base input for the basic 
  profile discussion.

1. Use cases
  The followings are use cases that the profiles specified in the 
  document intend to cover.

  - When a client wants to send any encrypted message to a service, it 
    will have to know the key associated with that service.

  - When a client wants to make a policy decision whether or not it 
    wants a certain service to serve its request, it has to know the 
    service's key-info.

2. Namespaces
  This note uses the following namespaces to define the profile.

  prefix   Namespece URI (Specification)
  wsa:     http://www.w3.org/2005/03/addressing
  ds:      http://www.w3.org/2000/09/xmldsig#
           (XML-Signature Syntax and Processing)
  wsse:    http://docs.oasis-open.org/wss/2004/01/
                          oasis-200401-wss-wssecurity-secext-1.0.xsd
           (Web Services Security v1.0)
  ogsa-bp: a Namespace URI for the Basic Profile 1.0 document
           (OGSA Basic Profile 1.0) 

  And this note also uses the following entity references to ease 
  the description of the URIs.

  &wsse;   the Namespace URI for Web Services Security v1.0
  &ogsabp; the Namespace URI for OGSA Basic Profile 1.0

3. Example
  The following shows an example which the profile is intended to 
  define.

  (001) <wsa:EndpointReference>
  (002)   <wsa:Address>http://www.globus.org/some/path</wsa:Address>
  (003)   <wsa:Metadata>
  (004)     <ogsabp:EndpointKeyInfo>
  (005)       <wsse:SecurityTokenReference 
                wsse:Usage="&ogsabp;#signature">
  (006)         <wsse:Reference URI="#token1"/>
  (007)       </wsse:SecurityTokenReference>
  (008)       <wsse:SecurityTokenReference
  (009)         wsse:Usage="&ogsabp;#encryption">
  (010)         <wsse:Embedded>
  (011)           <wsse:BinarySecurityToken 
                                    ValueType="&wsse;X509PKIpathv1">
  (012)             MIIC.....
  (013)           </wsse:BinarySecurityToken>
  (014)         </wsse:Embedded>
  (015)       </wsse:SecurityTokenReference>
  (016)     </ogsabp:EndpointKeyInfo>
  (017)   </wsa:Metadata>
  (018) </wsa:EndpointReference>

(001)-(018) An example wsa:EndointReference
(004)-(016) An example of ogsabp:EndpointKeyInfo elment is shown.  
            The actual key information contained in the 
            ogsabp:EndpointKeyInfo element is bound to the endpoint 
            specified by the enclosing wsa:EndpointReference.
(005)-(007) An example of actual key information is shown.  The key is
            expressed by using wsse:SecurityTokenReference and the
            wsse:Usage attribute shows that the key shoud be used for 
            signature.  The key data is referenced by the same
            document referece, "#token1".
(008)-(015) Another example of key information is shown.  The key is 
            also expressed by using wsse:SecurityTokenReference, but
            the actual key data is embbeded in the element as a 
            wsse:BinarySecurityToken in wsse:Embedded.  And the usage 
            of the key is specified as encryption by the wsse:Usage 
            attribute.

4. Infoset
  The following is the descriptions or definitions of the infosets 
  refered or defined in this note.

- /wsa:EndpointReference/wsa:Metadata
  WS-Addressing defines optional wsa:Metadata element which is used to
  hold metadata that is relevant to the interaction with the endpoint.

- /wsa:EndpointReference/wsa:Metadata/osgabp:EndpointKeyInfo/
  The ogsabp:EndpointKeyInfo is defined as a ds:KeyInfoType which is
  defined in the XML-Signture specification to contain generic key 
  information.  In this profile, the element is used to specify a key 
  information which should be used to interact with the endpoint.

- /wsa:EndpointReference/wsa:Metadata/ogsabp:EndpointKeyInfo/
  wsse:SecurityTokenReference
  Although the XML-Signature specification defines various types of 
  elements which are intended to be used as a child element of 
  ds:KeyInfoType element and the specification also allows the 
  ds:KeyInfoType element to have arbitary types of elements in its
  content, this profile mandates the use of 
  wsse:SecurityTokenReference elements under the 
  ogsabp:EndpointKeyInfo element.

- /wsa:EndpointReference/wsa:Metadata/ogsabp:EndpointKeyInfo/
  wsse:SecurityTokenReference/@wsse:Usage
  WS-Security defines this optional attribute which is used to type
  the usage of the wsse:SecurityTokenReference element.

  This profile defines the following values for the @wsse:Usage 
  attribute to specify the usage of the key referenced by the 
  wsse:SecurityTokenReference.

    Value                Usage
    &ogsabp;#encryption  Encryption key needed to interact with the 
                         endpoint.
    &ogsabp;#signature   Signature verification key needed to interact
                         with the endpoint. 

  Absence of this attribute means that the key can be used for both
  encryption and signature verification.

  Implementations which create the key-info data MAY NOT set an
  inconsitent value with the usage in the referenced key to this
  @wsse:Usage attribute.  For example, if the KeyUsage certificate
  extension of a X509 public key certificate is marked as 
  CRITICAL and set to Signing, then an implementation MAY NOT set
  &ogsabp;#encryption to the @wsse:Usage attribute.  (Thus, in this
  case, the certificate cannot be used as an encryption key.)

  Implementations which detect an inconsistency between the value 
  of @wsse:Usage attribute and the usage specified in the 
  referenced key itself MUST report an error and MAY NOT use the
  key for the usage specified by the @wsse:Usage attribute.

5. Schema
  The following schema fragment defines ogsabp:EndpointReferenceType 
  element defined in this profile.

  ----
  <?xml version="1.0" encoding="UTF-8"?>
  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" 
    xmlns:ogsabp="&ogsabp;" 
    targetNamespace="&ogsabp;">

      <!-- definition f the EndpointKeyInfo element -->
      <xs:element name="EndpointKeyInfo" type="ds:KeyInfoType"/>

  </xs:schema>
  ----

6. Interoperability
  To ensure the interoperability, a wsse:SecurityTokenReference element
  MUST comform to the requirements defined in the section 4.2
  of the WS-I Basic Profile 1.0 document (SecurityTokenReferences).

  To ensure the interoperability, if the wsse:BinarySecurityToken 
  refers to or embeds an X509 Certificate, the wsse:BinarySecurityToken
  MUST comform to the requirements defined in the chapter 6 of the
  WS-I Basic Profile 1.0 document (X509 Certificate Token Profile).

7. Reference
  WS-Addressing 
     Web Services Addressing 1.0 - Core
     http://www.w3.org/TR/2005/WD-ws-addr-core-20050331/

  XML-Signature
     XML-Signature Syntax and Processing, 
     http://www.w3.org/TR/xmldsig-core/

  Web Service Security
     http://docs.oasis-open.org/wss/2004/01/
     oasis-200401-wss-soap-message-security-1.0.pdf

  WS-I Basic Security Profile 
     WS-I Basic Security Profile Working Groupd Draft
     http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html

End of Note
----