Issues for Common Secure Interoperability Version 2 RTF mailing list
To comment on any of these issues, send email to csiv2-ftf@omg.org. (Please include the issue number in the Subject: header, thusly: [Issue ###].) To submit a new issue, send email to issues@omg.org.
List of issues (green=resolved, yellow=pending Board vote, red=unresolved)
Issue 3906: CSIv2 Protocol
Issue 3922: GSSUP Names are inconsistent other security mechanisms.
Issue 3932: Service ID missing
Issue 3948: GSSUP names are incompatible with the Identity Token
Issue 3972: Format of GSSUP GSS exported name object undefined
Issue 3973: inconsistent definition of target_name field
Issue 3974: CSIv2 IOR Tagged component Identifier values
Issue 3975: INVALID recommended cipher suites
Issue 4118: Multiple Privilege Authorities and Supported Naming Types
Issue 4141: ISL changes to break dependency on Security and SECIOP modules
Issue 4142: Module suggestions
Issue 4143: OIDs
Issue 4200: Module SSLIOP Does Not Contain Host
Issue 4221: Issue: inconsistent definition of AuthorizationToken
Issue 4268: How to Partition the ServiceConfiguration syntax space to support vendor sp
Issue 4277: New minor codes for NO_PERMISSION Exception in CSIv2
Issue 4281: No Tokens in EstablishContext Message
Issue 4282: Inability to specify per method target security requirements
Issue 4293: CSIv2 Issue: SECIOP does not have multiple addresses.
Issue 4308: The encoding of GSSUP ICT's is not clearly specified
Issue 4326: CSIv2 TSS state machine lacks states to enforce target policy for
Issue 4327: clarification of csiv2 stateful conformance requirements
Issue 4330: How to Partition the AuthorizationElementType regarding vendor extensions
Issue 3906: CSIv2 Protocol (csiv2-ftf)
Click here for this issue's archive.
Source: Syracuse University (Dr. Polar Humenn, polar(at)adiron.com)
Nature: Uncategorized Issue
Severity:
Summary:
ssue on Document orbos/2000-08-04, CSIv2 Joint Submission:
Document: orbos/2000-08-04 CSIv2 Joint Submmission
Subject: Protocol and IOR incompatabilities for Identity Assertion
Severity: Critical
Summary:
The CSIv2 protocol is too vague on acceptance of identity tokens.
This yeilds an uneeded and unwarranted complexity in implemenations.
Vague protocols are not a good idea. It limits interoperability.
Discussion:
In the IOR, the CSIv2 protocol states a list of OIDs signifying the
acceptable forms of an IdentityToken delivered by the client. This list of
acceptable name forms is stated only to apply to GSS_NT_ExportedName
types. There are no OIDs signifying that an X.501 DN or X.509 Public Key
Certificate are acceptable.
It seems that the specification is written so that both X.501 DNs and
X.509 Certificate chains are always acceptable. This requirement would
cause all clients to send only X.501 DNs or X.509 Certificate Chains,
regardless of the server listing its acceptable name types. Also, there is
no indication of which of an X.501 DN or X.509 Public Key Certificate
Chain is desirable. This is vague.
It is completely unwarranted to tell all CSI mechanisms that they must
support X.509 DNs or X.509 Certificate chains. These name forms may not be
relevant to the mechanism at all. The mechanism may not support public key
technology, have facility for verification of certificates, may not be
able to parse X.501 DNs or X.509 Certificate Chains, and further more, but
not least, the security mechanism may not know what to do with it. One
example, might be an TCPIP CSI mechanism that only wants to accept
Kerberos principal names, Unix user names, or NT user names. DNs or
Certificate Chains are irrelevant.
With that in mind, a client should not be allowed to send the server an
X.509 certificate chain or an X.501 DN at it. Those name forms are not
acceptable to the server.
The easiest way around this problem is to allocated OIDs under the OMG OID
that signify the acceptance of each of the X.509 DNs and X.509 Public Key
Certificate chains. Servers that accept X.501 DNs and X.509 Public Key
Certificate chains for identity assertion shall list the appropriate OIDs
in the IOR.
Resolution: Apply revised text and close issue
Revised Text: Base document:
http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf
[1] Replace the paragraph 53, which starts with "A target that supports
identity assertion shall ...", with the following:
When a TSS rejects a request because it carries an identity token
constructed using an identity type or naming mechanism that is not
supported by the target, the TSS shall return a ContextError service
context element containing major and minor status codes indicating the
mechanism was invalid.
[2] In the CSI Module page 16-61, change the last two of the
IdentityTokenType constants, such that they are powers of 2, for use in a
bitmap. Also, change its type definition to an unsigned long and add
the comment as follows:
typedef unsigned long IdentityTokenType;
// Additional standard identity token types shall only be defined by the
// OMG. All IdentityTokenType constants shall be a power of 2.
const IdentityTokenType ITTAbsent = 0;
const IdentityTokenType ITTAnonymous = 1;
const IdentityTokenType ITTPrincipalName = 2;
const IdentityTokenType ITTX509CertChain = 4;
const IdentityTokenType ITTDistinguishedName = 8;
[3] On page 16-46 and in the CSIIOP module IDL section on page 16-65, add
a new field called "supported_identity_types" to the SAS_ContextSec
structure, such that it is defined as follows:
struct SAS_ContextSec{
AssociationOptions target_supports;
AssociationOptions target_requires;
sequence <ServiceConfiguration> privilege_authorities;
CSI::OIDList supported_naming_mechanisms;
CSI::IdentityTokenType supported_identity_types;
};
[4] Replace para 149 with the following: (the section reference is
actually a cross reference, in which case it may change in detail based on
other changes to the document).
The supported_naming_mechanisms field shall contain a list of 0 or more
GSS mechanism OIDs. A TSS shall set the value of this field to contain the
GSS mechanism OIDs for which the target supports identity assertions using
an identity token of type ITTPrincipalName. The Identity token types are
defined in Section 16.2.5, "Identity Token Format," on page 16-17.
[5] Add the following new paragraphs after the new para 149:
The value of the supported_identity_types field shall be the bitmapped
representation of the set of identity token types for which the target
supports. The target always supports ITTAbsent.
The value in supported_identity_types shall be non-zero if and only if the
IdentityAssertion bit is non-zero in target_supports. The bit
corresponding to the ITTPrincipalName identity token type shall be
non-zero in supported_identity_types if and only if the value in
supported_naming_mechanisms contains at least one element.
[6] In section 16.9.3 (the CSI module idl) add the IdentityExtension
typedef and add a default selector to the IdentityTokenType union as
follows:
typedef sequence <octet> IdentityExtension;
union IdentityToken switch ( IdentityTokenType ) {
case ITTAbsent: boolean absent;
case ITTAnonymous: boolean anonymous;
case ITTPrincipalName: GSS_NT_ExportedName principal_name;
case ITTX509CertChain: X509CertificateChain certificate_chain;
case ITTDistinguishedName: X501DistinguishedName dn;
default: IdentityExtension id;
};
[7] after paragraph 50 add the following new paragraphs:
In addition to the identity token types described in the following table,
the IdentityTokenType as defined in Section 16.9.3, "Module CSI - Common
Secure Interoperability," provides for the definition of additional CSIv2
identity token types through the default selector of the IdentityToken
union type. Additional standard identity token types shall only be
defined by the OMG. All IdentityTokenType constants shall be a power of 2.
Actions taken:
September 20, 2000: received issue
October 3, 2001: closed issue
Issue 3922: GSSUP Names are inconsistent other security mechanisms. (csiv2-ftf)
Click here for this issue's archive.
Source: Syracuse University (Dr. Polar Humenn, polar(at)adiron.com)
Nature: Uncategorized Issue
Severity: Minor
Summary: Document: orbos/2000-08-04 CSIv2 Joint Submission
Subject: GSSUP Names are inconsistent other security mechanisms.
Severity: Medium
Summary:
The names supplied in the InitialContextToken for the UserName password
scheme invents a name type called a Security::ScopedName. This is just yet
another name type that must be dealt with and is completely inconsistent
with anything else used for names. The contents of the scope and the name
are underspecified.
Discussion:
The structure should allow for all forms of name types. The easiest
way to do accomplish consistency is to use a GSS exported Name type.
struct InitialContextToken {
Security::GSS_NT_ExportedName username;
Security::UTF8String password;
};
That way a password database can even store names that are DN's,
X509GeneneralNames, Kerberos Names, NT Usernames, etc.
Resolution: Close issue with revised text
Revised Text: The following modifications are presented against document http://cgi.omg.org/pub/csiv2-ftf/csiv2-0117011.pdf. with the assumption that the resolution of Issue 4141 has been applied. (Moving GSS_NT_ExportedName from Security to CSI).
[1] Change the IDL between paragraphs 48 and 49 to the following:
// GSSUP::InitialContextToken
struct InitialContextToken {
CSI::UTF8String username;
CSI::UTF8String password;
CSI::GSS_NT_ExportedName target_name;
};
[2] Replace paragraph 49 with the following.
The target_name field of the GSSUP::InitialContextToken contains the name of the authentication domain in which the client is authenticating. This field aids the TSS in processing the authentication should the TSS support several authentication domains. A CSS shall fill the target_name field of the GSSUP::InitialContextToken with the contents of the target_name field of the CSIIOP::AS_ContextSec structure of the chosen CSI mechanism.
[3] In Section 16.9.5, Module GSSUP change the definition InitialContextToken to the following:
struct InitialContextToken {
CSI::UTF8String username;
CSI::UTF8String password;
CSI::GSS_NT_ExportedName target_name;
};
[4] In Section 16.9.5, Remove all extraneous definitons from the GSSUP module.
Resolution to Issue 4141 introduces NameValue and ScopedName to the GSSUP module, which were moved from the Security Module.
Actions taken:
September 28, 2000: received issue
October 3, 2001: closed issue
Issue 3932: Service ID missing (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: CSIV2 service context element, SecurityAttributeService,
must be assigned a service id.
Description:
const ServiceId SecurityAttributeService = xx;
A numerical value must be reserved within the OMG service
id space to identify CSIv2 service context elements. The
value will replace the temporary value ("xx") appearing in the
submission.
Discussion:
Proposed Solution:
const ServiceId SecurityAttributeService = 15;
Resolution: No action needed from the FTF, purely administrative
Revised Text:
Actions taken:
October 3, 2000: received issue
October 3, 2001: closed issue
Issue 3948: GSSUP names are incompatible with the Identity Token (csiv2-ftf)
Click here for this issue's archive.
Source: Syracuse University (Dr. Polar Humenn, polar(at)adiron.com)
Nature: Uncategorized Issue
Severity: Critical
Summary: The name type used in the GSSUP mechanism for Client Authentication over
the transport name type is not convertible to anything used by the
Identity Token. This situation becomes a problem when on the server side
where you need to quote, (i.e. identity assert) the client's authenticated
identity to another CSIv2 CORBA outcall on behalf of the client.
Resolution: Close issue as duplicate of 3922
Revised Text:
Actions taken:
October 13, 2000: received issue
October 3, 2001: closed issue
Discussion: The solution is to change the GSSUP name type to a GSS_NT_ExportedName
form, where it can easily be lifted. This is also the subject of another
previous issue raised about GSSUP name types. This solution will solve
both problems.
Issue 3972: Format of GSSUP GSS exported name object undefined (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: Document: orbos/2000-08-04 CSIv2 Final Submission
Issue:
Format of GSSUP GSS mechanism-independent exported name object, a
special form of "flat" name as described below, is not defined.
Description:
>From RFC 2473 section 1.1.5 Naming
> Different classes of name representations are used in conjunction
> with different GSS-API parameters:
>
> - Internal form (denoted in this document by INTERNAL NAME),
> opaque to callers and defined by individual GSS-API
> implementations. GSS-API implementations supporting multiple
> namespace types must maintain internal tags to disambiguate the
> interpretation of particular names. A Mechanism Name (MN) is a
> special case of INTERNAL NAME, guaranteed to contain elements
> corresponding to one and only one mechanism; calls which are
> guaranteed to emit MNs or which require MNs as input are so
> identified within this specification.
>
> - Contiguous string ("flat") form (denoted in this document by
> OCTET STRING); accompanied by OID tags identifying the namespace
> to which they correspond. Depending on tag value, flat names may
> or may not be printable strings for direct acceptance from and
> presentation to users. Tagging of flat names allows GSS-API
> callers and underlying GSS-API mechanisms to disambiguate name
> types and to determine whether an associated name's type is one
> which they are capable of processing, avoiding aliasing problems
> which could result from misinterpreting a name of one type as a
> name of another type.
>
> - The GSS-API Exported Name Object, a special case of flat name
> designated by a reserved OID value, carries a canonicalized form
> of a name suitable for binary comparisons.
Resolution:
Revised Text: Resolution:
Define a "flat name" type OID and format. It would also be good to have these OIDs specified
somewhere. We can do that in IDL with string constants, using dot notation for OIDs
Close issue with revised text.
Revised Text:
The following modifications are presented against document
http://cgi.omg.org/pub/csiv2-ftf/csiv2-0117011.pdf
with the assumption that the resolution of Issue 4141 has
been applied, i.e. Moving GSS_NT_ExportedName from Security
to CSI, and the assumption that the resolution of Issue 4143
has been applied, i.e. creation of the CSI::StringOID type.
[1] Add the following at the end (following para 54) of
section 15.2.5 Identity Token Format GSS Exported Name
Object Form for GSSUP Mechanism.
The mechanism OID within the exported name object shall
be that of the GSSUP mechanism.
{iso-itu-t (2) international-organization (23) omg (130)
security (1) authentication (1) gssup-mechanism (1)}
The name component within the exported name object shall
be a contiguous string conforming to the syntax of the
scoped-username GSS name form. The encoding of GSS
mechanism-independent exported name objects is defined in
[IETF RFC 2743].
Scoped-Username GSS Name Form
The scoped-username GSS name form is defined as follows,
where name_value and name_scope contain a sequence of 1
or more UTF8 encoded characters.
scoped-username ::= name_value | name_value@name_scope | @name_scope
The '@' character shall be used to delimit name_value
from name_scope. All non-delimiter instances of '@' and
all non-quoting instances of '\' shall be quoted with an
immediately-preceding '\'. Except for these cases, the
quoting character, '\', shall not be emitted within a
scoped-username.
The Object Identifier corresponding to the GSS
scoped-username name form is:
{iso-itu-t (2) international-organization (23) omg (130)
security (1) naming (2) scoped-username(1)}
[2] Insert the following definitions in Section 16.9.6,
Module CSI, after the definition of GSS_NT_ExportedNameList.
// The GSS Object Identifier for the KRB5 mechanism is:
//
// { iso(1) member-body(2) United States(840) mit(113554)
// infosys(1) gssapi(2) krb5(2) }
const StringOID KRB5MechOID = "oid:1.2.840.113554.1.2.2";
// The GSS Object Identifier for name objects of the
// Mechanism-idependent Exported Name Object type is:
// {iso(1) org(3) dod(6) internet(1) security(5)
// nametypes(6) gss-api-exported-name(4)}
const StringOID GSS_NT_Export_Name_OID = "oid:1.3.6.1.5.6.4";
// The GSS Object Identifier for the scoped-username name form is:
// {iso-itu-t (2) international-organization (23) omg (130)
// security (1) naming (2) scoped-username(1)}
const StringOID GSS_NT_Scoped_Username_OID = "oid:2.23.130.1.2.1";
Actions taken:
October 19, 2000: received issue
October 3, 2001: closed issue
Discussion: Section 3.5 of the CSIv2 document describes Identity Tokens, however it
did not describe the format of the "name blob" (that is the part
following the mechanism OID and length) within a GSSUP Exported Name
Object.
Issue 3973: inconsistent definition of target_name field (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: Document: orbos/2000-08-04 CSIv2 Final Submission
Issue:
target_name(s) field of struct AS_ContextSec is defined and described
inconsistently in various places in the submission.
Description:
In section 6.1.4.1 this field is defined as
sequence <Security::GSS_NT_exportedName> target_names;
and defined as a list of target names.
In the IDL in section B.7 this field is defined as
sequence <Security::GSS_NT_exportedName> target_name;
There are other places in the document where the singular form of this
field name is used, including in the examples of the scenarios chapter.
Proposed Solution:
The change of this field to a list was not necessary, as it is difficult
to make a case for requiring multiple target names within a single
mechanism (as there is a multiple mechanism workaround).
We should at least fix the inconsitencies in the document. If we keep
the
ability to express multiple targets, then we should also say something
about the semantics of position in the list.
The prefered solution would be to revert back to the singular form.
Security::GSS_NT_exportedName target_name;
and fix all references to this field accordingly.
Resolution: Make it singular. Close issue with revised text.
Revised Text: The following modifications are presented against document http://cgi.omg.org/pub/csiv2-ftf/csiv2-0117011.pdf. with the assumption that the resolution of Issue 4141 has been applied. (Moving OID and GSS_NT_ExportedName from Security to CSI).
[1] Change the IDL between para 138 and 139 to the following:
struct AS_ContextSec{
AssociationOptions target_supports;
AssociationOptions target_requires;
CSI::OID client_authentication_mech;
CSI::GSS_NT_ExportedName target_name;
};
[2] Change para 141 to read:
The target uses the target_name field to make its security name and or
authentication domain available to clients. This information may be
required by the client to obtain or construct (depending on the mechanism)
a suitable initial context token.
[3] Change the IDL definition of AS_ContextSec in Section 16.9.7,
Module CSIIOP to the following:
struct AS_ContextSec{
AssociationOptions target_supports;
AssociationOptions target_requires;
CSI::OID client_authentication_mech;
CSI::GSS_NT_ExportedName target_name;
};
Actions taken:
October 19, 2000: received issue
October 3, 2001: closed issue
Issue 3974: CSIv2 IOR Tagged component Identifier values (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: Document: orbos/2000-08-04 CSIv2 Final Submission
Issue:
tagged component identifier values must be assigned for
components TAG_NULL_TAG, TAG_CSI_SEC_MECH_LIST, and
TAG_SECIOP_SEC_TRANS.
Description:
const IOP::ComponentId TAG_CSI_SEC_MECH_LIST = aa;
const IOP::ComponentId TAG_NULL_TAG = bb;
const IOP::ComponentId TAG_SECIOP_SEC_TRANS = cc;
Numerical values must be reserved within the OMG tag list to
identify these new tagged components. These values will replace the
temporary values, "aa", "bb", and "cc" appearing in the submission.
Discussion:
Proposed Solution:
const IOP::ComponentId TAG_CSI_SEC_MECH_LIST = 33;
const IOP::ComponentId TAG_NULL_TAG = 34;
const IOP::ComponentId TAG_SECIOP_SEC_TRANS = 35;
Resolution: editorial, close issue
Revised Text:
Actions taken:
October 19, 2000: received issue
October 3, 2001: closed issue
Discussion: TAG values for aforementioned constants allocated by OMG and incorporated
in the IDL editorially.
Issue 3975: INVALID recommended cipher suites (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: Document: orbos/2000-08-04 CSIv2 Final Submission
Issue:
Section "5.2.1" Recommended SSSL/TLS Ciphersuites" incorrectly names 4
cipher suites.
Description:
The first 4 cipher suites in the recommended list do not exist as they
were named. The invalid appearing in this list are:
TLS_RSA_EXPORT_WITH_RC4_128_MD5
SSL_RSA_EXPORT_WITH_RC4_128_MD5
TLS_DHE_DSS_EXPORT_WITH_DES_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES_CBC_SHA
Proposed Solution:
Replace the invalid names listed above with the following:
TLS_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_MD5
TLS_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
Resolution: Make the replacements as suggested above.
Revised Text:
Actions taken:
October 19, 2000: received issue
October 3, 2001: closed issue
Issue 4118: Multiple Privilege Authorities and Supported Naming Types (csiv2-ftf)
Click here for this issue's archive.
Source: Syracuse University (Dr. Polar Humenn, polar(at)adiron.com)
Nature: Uncategorized Issue
Severity:
Summary: Multiple privilege authorities and multiple naming types yield
combinatorial problems for the client.
Discussion:
This issue is sort of in the same regards to Issue 3973 where Ron thinks
that having multiple target_name(s) in the AS_ContextSec is a bad idea, of
which I agree.
The type of the privilege_authorities field in the CSIIOP::SAS_ContextSec
structure sequence<ServiceConfiguration>. It suffers the same problem,
especially when combined with multiple supported naming types.
It is completely hard to determine having multiple privilege authorities
and the names that must be used to assert the identity for the privileges.
In fact, the client may get back an AuthorizationToken that he doesn't
understand, but will need to assert an identity for it's use, quite
possibly with endorsement. Having multiple naming types supported per
privilege authority is fine, but combine that with multiple ones, and you
may get a decision problem for the client.
It is better to be able to specify a one-to-one correspondence, locking
down the combinations that a server will accept, and the client doesn't
have to do any mucking about deciding what will work.
Proposed Solution:
Singularize the privilege authorities field.
Unfortunately IDL has a hard time making a singular field become optional
without doing something bizzare, such as:
switch(boolean) {
true: ServiceConfiguration privilege_authority
}
which requires a new type, etc.
I have two proposals:
Proposal 1:
We signularize the field in name, i.e. "privilege_authority". Keep the
sequence definition. However, stating in the specification at most one
must be contained. This can be hinted at as well in IDL.
struct SAS_ContextSec{
Security::AssociationOptions target_supports;
Security::AssociationOptions target_requires;
sequence <ServiceConfiguration,1> privilege_authority;
sequence <Security::OID> supported_naming_mechanisms;
};
Proposal 2:
We specify a ServiceConfigurationSyntax tag for "none", and specify that
the sequence of octet associated with it is empty.
// Corresponding ServiceName for the SCS_None Syntax should be an empty
// sequence octets.
const ServiceConfigurationSyntax SCS_None = -1;
struct SAS_ContextSec{
Security::AssociationOptions target_supports;
Security::AssociationOptions target_requires;
ServiceConfiguration privilege_authority;
sequence <Security::OID> supported_naming_mechanisms;
};
For efficiency I'm in favor of the second approach, because I can just
look a the ServiceConfiguration::syntax field and know what to do. The
first proposal causes me to look at the length first, index to the first
element in the array, and then look at the syntax field.
As an aside, I also wouldn't mind changing the sequence<Security::OID>
type into a Security::OIDList, but that can be the subject of another
issue. Also note, to be specific with the document I am pointing to, I
used the "Security" definitions. Hopefully, we will follow one proposal to
change the Security::AssociationOptions to CSIIOP::AssociationOptions and
Security::OID and Security::OIDList to CSI::OID and CSI::OIDList
respectively.
Resolution: Close issue with revised text.
Revised Text: Base document:
http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf
[1] Replace Paragraph 148 with the following two paragraphs:
The privilege_authorities field contains a sequence of zero or more
ServiceConfiguration elements. A non-empty sequence indicates that the
target supports the CSS delivery of an AuthorizationToken, which is
delivered in the EstablishContext message. A CSS shall not be required to
look beyond the first element of this sequence unless required by the
first element.
The syntax field within the ServiceConfiguration element identifies the
format used to represent the authority. Two alternative formats are
currently defined: an ASN.1 encoding of the GeneralNames (as defined in
[IETF RFC 2459]) which identify a privilege authority, or a GSS exported
name (as defined in [IETF RFC 2743] Section 3.2) encoding of the name of
a privilege authority.
Actions Taken:
Actions taken:
January 10, 2001: received issue
October 3, 2001: closed issue
Issue 4141: ISL changes to break dependency on Security and SECIOP modules (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: Document: orbos/2000-08-04 CSIv2 Final Submission
Issue:
Section "IDL" Contains dependencies on the IDL of the security
specification (the SECURITY, SECIOP, and SSLIOP modules)
Description:
The IDL for CSIv2 is dependent on the AssociationOptions type of the
SECURITY module, and proposes some new types to be added to that module.
The IDL for CSIv2 also proposes some new types to be added to the the
SECIOP module.
The IDL for CSIv2 is dependent on the SSL module.
Proposed Solution:
1. Move the AssociationOptions type out of the Security Mododule into a
new base security module. (Issue for the security spec) - Make the
Security Module dependent on this base security module.
2. Add new constants to AssociationOptions.
3. Add to this new base module the new types created for CSIv2 and
previosly intended to be added to the security module (with the
exception of the types related to type ScopedName, which will be the
subject of another issue).
4. Move the new SECIOP ComponentId and tag structure for TAG_SECIOP
SEC_TRANS into the CSIIOP module, thus eleiminating the CSIv2 dependence
on the SECIOP module.
5. move the SSLIOP module into the CSIv2 spec. Change the SSLIOP modules
dependency on the security module to a dependency on the new base
security module.
6. Change All references to the SECUIRTY module in modules GSSUP,
SSLIOP. CSI, and CSIIOP to references to the base security module.
7. Modify the GSSUP, CSI, and CSIIOP modules for idempotent inclusion.
Resolution: Close issue with revised text.
Revised Text: The following modifications are presented against document http://cgi.omg.org/pub/csiv2-ftf/csiv2-0117011.pdf.
[1] Move definition of UTFString to CSI, and move
NameValue and ScopedName to GSSUP (for now)
Replace all the IDL definitions at the top of page 16-13,
which are between para 48 & 49 with the following:
typedef CSI::UTF8String NameValue;
struct ScopedName {
NameValue name_scope;
NameValue name_value;
};
// GSSUP::InitialContextToken
struct InitialContextToken {
ScopedName username;
CSI::UTF8String password;
};
[2] Change Reference to TAG_SSL_SEC_TRANS on page 16-29
in para 114 to TAG_TLS_SEC_TRANS.
[3] Change Section Header "TAG_SSL_SEC_TRANS" on page 16-33
above para 126 to "TAG_TLS_SEC_TRANS"
[4] Change all occurrences of TAG_SSL_SEC_TRANS" from para 126
thru para 128, to "TAG_TLS_SEC_TRANS".
[5] Change idl between para 127 & 128 to the following:
const IOP::ComponentId TAG_TLS_SEC_TRANS = 999; // TBA
struct TLS_SEC_TRANS {
AssociationOptions target_supports;
AssociationOptions target_requires;
unsigned short port;
};
[6] Change the IDL between para 130 & 131 to the following:
const IOP::ComponentId TAG_SECIOP_SEC_TRANS = 35;
struct SECIOP_SEC_TRANS {
AssociationOptions target_supports;
AssociationOptions target_requires;
CSI::OID mech_oid;
CSI::GSS_NT_ExportedName target_name;
unsigned short port;
};
[7] Change the IDL between para 132 & 133, removing the
"Security::" module name making the CompoundSecMech
struct have the following definition:
struct CompoundSecMech {
AssociationOptions target_requires;
IOP::TaggedComponent transport_mech;
AS_ContextSec as_context_mech;
SAS_ContextSec sas_context_mech;
};
[8] Change the TAG_SSL_SEC_TRANS to TAG_TLS_SEC_TRANS in
para 133.
[9] Change the IDL between para 138 & 139 to the following:
struct AS_ContextSec{
AssociationOptions target_supports;
AssociationOptions target_requires;
CSI::OID client_authentication_mech;
sequence <CSI::GSS_NT_ExportedName> target_name;
};
[10] In the IDL between para 144 and 145, change the definition
of the SAS_ContextSec struct to the following:
struct SAS_ContextSec{
AssociationOptions target_supports;
AssociationOptions target_requires;
sequence <ServiceConfiguration> privilege_authorities;
CSI::OIDList supported_naming_mechanisms;
};
[11] Change occurrence of TAG_SSL_SEC_TRANS to TAG_TLS_SEC_TRANS
in the code after para 187 and in para 188.
[12] Change occurrence of TAG_SSL_SEC_TRANS to TAG_TLS_SEC_TRANS
in the code after para 189.
[13] Change occurrence of TAG_SSL_SEC_TRANS to TAG_TLS_SEC_TRANS
in the code after para 190.
[14] Change occurrence of TAG_SSL_SEC_TRANS to TAG_TLS_SEC_TRANS
in the code after para 192.
[15] Change occurrence of TAG_SSL_SEC_TRANS to TAG_TLS_SEC_TRANS
in the code after para 193.
[16] Remove Section 16.9.2 Module Security in its entirety.
[17] Remove Section 16.9.3 Module SSLIOP in its entirety.
[18] Remove Section 16.9.4 Module SECIOP in its entirety.
[19] Change IDL of the GSSUP mechanism to the following:
#ifndef _GSSUP_IDL_
#define _GSSUP_IDL_
#include <CSI.idl>
#pragma prefix "omg.org"
module GSSUP {
typedef CSI::UTF8String NameValue;
struct ScopedName {
NameValue name_scope;
NameValue name_value;
};
// The GSS Object Identifier allocated for the username/password mechanism is defined below.
//
// { iso-itu-t (2) international-organization (23) omg (130) security (1)
// authentication (1) gssup-mechanism (1) }
// The following structure defines the inner contents of the username password initial
// context token. This structure is CDR encoded in a sequence of octets and appended
// at the end of the username/password GSS (initial context) Token (see above).
struct InitialContextToken {
ScopedName username;
CSI::UTF8String password;
};
}; // GSSUP
#endif
[20] In Section 16.9.6 Modules CSI, Add the following to the beginning:
#ifndef _CSI_IDL_
#define _CSI_IDL_
#pragma prefix "omg.org"
[21] After "module CSI {" add the following lines of IDL:
// An X509CertificateChain contains an ASN.1 encoded SEQUENCE
// [1..MAX] OF X.509 certificates encapsulated in a sequence
// of octets. The subject's certificate must come first in the
// list. Each following certificate must directly certify the one
// preceding it. The ASN.1 representation of Certificate is
// as defined in [IETF RFC 2459].
typedef sequence <octet> X509CertificateChain;
// an X.501 type name or Distinguished Name encapsulated in a sequence of octets
// containing the ASN.1 encoding.
typedef sequence <octet> X501DistinguishedName;
// UTF-8 Encoding of String
typedef sequence <octet> UTF8String;
// ASN.1 Encoding of an OBJECT IDENTIFIER
typedef sequence <octet> OID;
typedef sequence <OID> OIDList;
// A sequence of octets containing a GSStoken. Initial context tokens are ASN.1
// encoded as defined in [IETF RFC 2743] Section 3.1, "Mechanism-Independent Token
// Format", pp. 81-82. Initial context tokens contain an ASN.1 tag followed by a
// token length, a mechanism identifier, and a mechanism-specific
// token (i.e. a GSSUP::InitialContextToken). The encoding of all other GSS tokens
// (e.g. error tokens and final context tokens) is mechanism dependent.
typedef sequence <octet> GSSToken;
// An encoding of a GSS Mechanism-Independent Exported Name Object as defined in
// [IETF RFC 2743] Section 3.2, "GSS Mechanism-Independent Exported Name Object
// Format," p. 84.
typedef sequence <octet> GSS_NT_ExportedName;
typedef sequence <GSS_NT_ExportedName> GSS_NT_ExportedNameList;
[22] Remove all 6 occurrences of "Security::" in the IDL for the
CSI module.
[23] Add the following line to the end of the CSI module:
#endif
[24] In section 16.9.7 add the following to the beginning:
#ifndef _CSIIOP_IDL_
#define _CSIIOP_IDL_
#include <IOP.idl>
#include <CSI.idl>
#pragma prefix "omg.org"
[25] In section 16.9.7, after the definition of
TAG_CSI_SEC_MECH_LIST add the following IDL:
//
// Association Options
//
typedef unsigned short AssociationOptions;
const AssociationOptions NoProtection = 1;
const AssociationOptions Integrity = 2;
const AssociationOptions Confidentiality = 4;
const AssociationOptions DetectReplay = 8;
const AssociationOptions DetectMisordering = 16;
const AssociationOptions EstablishTrustInTarget = 32;
const AssociationOptions EstablishTrustInClient = 64;
const AssociationOptions NoDelegation = 128;
const AssociationOptions SimpleDelegation = 256;
const AssociationOptions CompositeDelegation = 512;
const AssociationOptions IdentityAssertion = 1024;
const AssociationOptions DelegationByClient = 2048;
[26] In section 16.9.7, Replace all 5 occurrences of
"Security::AssociationOptions" with "AssociationOptions".
These occurrences are in the following definitions:
AS_ContextSec
SAS_ContextSec
CompoundSecMech
Replace all remaining 3 occurrences of "Security::" with "CSI::".
These occurrences are in the following definitions:
AS_ContextSec
SAS_ContextSec
[27] In section 16.9.7, replace the final "};//CSIIOP" with the
following IDL:
const IOP::ComponentId TAG_SECIOP_SEC_TRANS = 35;
struct SECIOP_SEC_TRANS {
AssociationOptions target_supports;
AssociationOptions target_requires;
CSI::OID mech_oid;
CSI::GSS_NT_ExportedName target_name;
unsigned short port;
};
const IOP::ComponentId TAG_TLS_SEC_TRANS = 9999; //TBA
struct TLS_SEC_TRANS {
AssociationOptions target_supports;
AssociationOptions target_requires;
unsigned short port;
};
}; //CSIIOP
#endif
Actions taken:
January 10, 2001: received issue
October 3, 2001: closed issue
Discussion: Elimination of dependencies on the Security, SECIOP, and SSLIOP modules
is generally felt to be a good idea. Move pertinent data definitions from Security,
SECIOP, and SSLIOP into CSI module and CSIIOP module.
Issue 4142: Module suggestions (csiv2-ftf)
Click here for this issue's archive.
Source: Syracuse University (Dr. Polar Humenn, polar(at)adiron.com)
Nature: Uncategorized Issue
Severity:
Summary: In looking at it, I think CSI would make a good "base" module.
Since other modules are only related to CSI, such as CSIIOP and GSSUP, I
see no reason why those two modules cannot depend on CSI.
Define in CSI:
AssociationOptions
GSSToken
GSS_NT_ExportedName
X509CertificateChain
X501DistinguishedName
As part of another issue, change the use of ScopedName in GSSUP to
CSI::GSS_NT_ExportedName.
As yet another issue, is to get rid of the ASN.1 dependance on
X509CertificateChain and X501DistinguishedName and somehow make it
consistent with the PKI spec. Or get rid of them all together, and just
use ExportedName format with proper OIDs.
Resolution: Same as issue 4141
Revised Text: Same as issue 4141
Actions taken:
January 10, 2001: received issue
October 3, 2001: closed issue
Issue 4143: OIDs (csiv2-ftf)
Click here for this issue's archive.
Source: Syracuse University (Dr. Polar Humenn, polar(at)adiron.com)
Nature: Uncategorized Issue
Severity:
Summary: There is a need to define OIDs, at least one for GSSUP. However, an OID is
represented by a sequence of positive integers, encoded as a octet
sequence. The encoding has the property that two encodings are equivalent
if and only if their definitions are equivalent (which is something ASN.1
DER is not particulary good at).
We cannot define a costant in IDL for a sequence of octets. However, I've
seen an number of ASN.1 compilers and it seems that the internal form of
the definition of an OID is a string of natural numbers in base 10
separated by dots. This is a parseable representation, and widely used.
I suggest that we introduce a definition, possibly a type, for and OID
string representation.
module CSI {
//
// An OID String Representation.
// The OID is represented in dot format.
// For example, "2.23.130.1.1.1".
//
typedef string OIDStringRep;
};
module GSSUP {
const OIDStringRep GSSUP_OID_DEF = "2.23.130.1.1.1";
};
This will allow ASN.1 compilers to at least map from this internal string
representation if they don't already do so.
What do you think? If there is consensus, I'll raise an issue, and we can
resolve it.
Resolution: Close issue with revised text.
Revised Text: The following modifications are presented against document http://cgi.omg.org/pub/csiv2-ftf/csiv2-0117011.pdf.
[1] Place the following into module CSI:
// The following type represents the string representation
// of an ASN.1 OBJECT IDENTIFIER (OID). OIDs are represented
// by the string "oid:" followed by the integer base 10
// representation of the OID separated by dots.
// For example, the OID signifying the OMG is represented as:
// "oid:2.23.130"
typedef string StringOID;
[2] In Section 16.9.5 GSSUP replace the comment block starting with "// The
GSS Object Identifier allocated for the username/password ..." with
the following:
// The GSS Object Identifier allocated for the username/password mechanism is defined below.
//
// { iso-itu-t (2) international-organization (23) omg (130) security (1)
// authentication (1) gssup-mechanism (1) }
const CSI::StringOID GSSUPMechOID = "oid:2.23.130.1.1.1";
Actions taken:
January 10, 2001: received issue
Discussion: OIDs are usually expressed in documents and programming tools as base 10 integers separated by dots, such as "2.23.130". It would be good to adopt something similar to this representation so that they can be represented as constants in IDL, as a sequence of octets does not have a constant representation in IDL.
A typedef created to handle this will be:
typedef string StringOID;
We use the term "StringOID" because already have an "OID" type in the CSI module, and in the spirit of the CosNamingExt module, it is analogous to the "Name" and "StringName" types and their definitions.
Issue 4200: Module SSLIOP Does Not Contain Host (csiv2-ftf)
Click here for this issue's archive.
Source: Mansurus LLC (Mr. Donald Flinn, flinn(at)alum.mit.edu)
Nature: Uncategorized Issue
Severity: Critical
Summary: In some situations, e.g. a multi-homed system, there would have to be a profile for each port number supported by SSL. This is inefficient. Adding a String host_name to the struct SSL in the Module SSLIOP would resolve this issue.
Resolution: Close issue with revised text.
Revised Text: Base document:
http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf
[1] Add Minor Heading Section before TAG_TLS_SEC_TRANS
Transport Address
The TransportAddress structure indicates an INTERNET address
where the TSS is listening for connection requests.
struct TransportAddress {
string host_name;
unsigned short port;
};
typedef sequence <TransportAddress> TransportAddressList;
The host_name field identifies the Internet host to which
connection requests will be made. The host_name field shall
not contain an empty string.
The port field contains the TCP/IP port number (at the specified
host) where the TSS is listening for connection requests. The
port number shall not be zero.
[2] Replace paragraph 130 with the following:
When an instance of the TAG_TLS_SEC_TRANS component occurs in the
transport_mech field of the CompoundSecMech structure, it defines the
sequence of transport addresses that the target will be listening for
SSL/TLS protected invocations. The supported (target_supports) and required
(target_requires) association options defined in the component shall define
the transport level security characteristics of the target at the given
addresses.
[3] Change the IDL for TLS_SEC_TRANS after paragraph 130 to the following:
struct TLS_SEC_TRANS {
AssociationOptions target_supports;
AssociationOptions target_requires;
TransportAddressList addresses;
};
[4] Add the following paragraph following the IDL after paragraph 130:
The addresses field provides a shorthand for defining multiple security
mechanisms that differ only in their transport addresses. The addresses
field shall contain at least one address.
[5] Add the following IDL for TransportAddress 16.9.4 on page 16-65
after the definition of CompoundSecMechList:
struct TransportAddress {
string host_name;
unsigned short port;
};
typedef sequence <TransportAddress> TransportAddressList;
[6] Change the IDL for TLS_SEC_TRANS in section 16.9.4 on page 16-66 to the
following:
struct TLS_SEC_TRANS {
AssociationOptions target_supports;
AssociationOptions target_requires;
TransportAddressList addresses;
};
Actions taken:
February 12, 2001: received issue
October 3, 2001: closed issue
Discussion: We add a minor section describing a TransportAddress structure with wording
close to that of the IIOP profile on page 15-50 of CORBA 2.3. formal/99-10-07.
We also add a typedef for a sequence of these structures. We change the
TLS_SEC_TRANS structure to use a list of these addresses.
Issue 4221: Issue: inconsistent definition of AuthorizationToken (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: Document: csiv2-011701
In section 16.2.3
The AuthorizationToken type is defined inconsitently with respect to its
definition in IDL module CSI.
typedef sequence <X509AuthorizationElement> AuthorizationToken;
in module CSI
typedef sequence <AuthorizationElement> AuthorizationToken;
The definition in 16.2.3 should be chnaged to agree with that in the IDL
Resolution: Apply revised text and close issue.
Revised Text: Base Document:
http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf
[1] In Section 16.2.3 on page 16-14 the definition
of AuthorizationTokenType is changed to the following:
typedef sequence <AuthorizationElement> AuthorizationToken;
Actions taken:
March 13, 2001: received issue
October 3, 2001: closed issue
Issue 4268: How to Partition the ServiceConfiguration syntax space to support vendor sp (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: We need to define how the namespace of ServiceConfiguration syntax
identifiers (used in privilege_authorities) is to be partitioned
so that individual vendors have some identifiers reserved for
their use (i.e. the definition of vendor specific syntaxes).
Resolution: Recommend closure with revised text
Revised Text: Base document:
http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf
[1] Add two new paragraphs following the second half of para 148
(which was split as one result of the resolution to issue 4118).
The high order 20-bits of each ServiceConfigurationSyntax constant
shall contain the Vendor Minor Codeset ID (VMCID) of the
organization that defined the syntax. The low order 12 bits shall
contain the organization-scoped syntax identifier. The high-order 20
bits of all syntaxes defined by the OMG shall contain the VMCID
allocated to the OMG (that is, 0x4F4D0).
Organizations must register their VMCIDs with the OMG before
using them to define a ServiceConfigurationSyntax.
[2] change the defintion of the ServiceConfigurationSyntax type, and
the syntax contants in
a. the IDL following para 147
b. in section 16.9.4 Module CSIIOP
to:
// The high order 20-bits of each ServiceConfigurationSyntax constant
// shall contain the Vendor Minor Codeset ID (VMCID) of the
// organization that defined the syntax. The low order 12 bits shall
// contain the organization-scoped syntax identifier. The high-order 20
// bits of all syntaxes defined by the OMG shall contain the VMCID
// allocated to the OMG (that is, 0x4F4D0).
typedef unsigned long ServiceConfigurationSyntax;
// The OMG VMCID; same value as CORBA::OMGVMCID. Do not change ever.
const unsigned long OMGVMCID = 0x4F4D0;
const ServiceConfigurationSyntax SCS_GeneralNames = OMGVMCID | 0;
const ServiceConfigurationSyntax SCS_GSSExportedName = OMGVMCID | 1;
Actions taken:
April 11, 2001: received issue
October 3, 2001: closed issue
Discussion: How to Partition the ServiceConfiguration syntax space to support vendor specific extensions
Issue 4277: New minor codes for NO_PERMISSION Exception in CSIv2 (csiv2-ftf)
Click here for this issue's archive.
Source: International Business Machines (Dr. Daniel T. Chang, dtchang(at)us.ibm.com)
Nature: Uncategorized Issue
Severity:
Summary: Don,
>
> Although the minor codes of the NO_PERMISSION exception have been defined
> in Table 4-7, Section 4.5, of the 7/21/2000 version of the CSIv2
> Specification, in order
> for the server to properly communicate the caused of the NO_PERMISSION
> exception
> to the client, we would like to propose the additional minor codes to the
> NO_PERMISSION
> exception.
>
> ***********************************************************************
> NO_PERMISSION authentication error minor codes: range 1-100
> (Note: The following minor codes are defined in the current CSIv2 spec:
>
> 1 - Invalid evidence
> 2 - Invalid mechanism
> 3 - Conflicting evidence
> 4- No Context
> )
> The new proposed minor codes for NO_PERMISSION exception: The numbering
> scheme was chosen to group errors into areas of
> similarity.
>
> 5 - user id not defined to security system - the user may select another
> userid
> 6 - user id revoked by security system - the user may select
> another userid
>
> 11 - password invalid for this userid - the user may correct the password
> 12 - password expired - the user may select another userid
>
> 20 - credentials expired - the user may select different credentials or
> renew them(e.g. by reissuing kinit)
> 22 - credentials invalid - the user may select different
> credentials, (e.g.
> by kinit, or specifying a different PKCS certificate handle)
>
> 52 - new password doesn't meet installation requirements
>
> 60 - general authentication error - the user should resubmit his
> credentials, but not additional information as to what is in error is
> provided.
> ******
Resolution: Close issue with revised text.
Revised Text: Base document:
http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf
[1] In para 21, change the bullet about error_token to the following
* error_token
A GSS mechanism-specific error token. When an EstablishContext message is
rejected because it contains a client_authentication_token (a GSS initial
context token) that is invalidated by the TSS, then depending on the mechanism,
the TSS may return a CDR encapsulation of a mechanism-specific GSS error token
in this field. Not all GSS mechanisms produce error tokens in response to
initial context token validation failures.
[2] Add a new section after para 49 GSSUP Mechanism-Specific Error Token
The GSSUP mechanism-specific error token contains a GSSUP
fatal error code.
typedef unsigned long ErrorCode;
// GSSUP Mechanism-Specific Error Token
struct ErrorToken {
ErrorCode error_code;
};
The following fatal error codes are defined by the GSSUP mechanism:
// the context validator has chosen not to reveal
// the GSSUP specific cause of the failure.
const ErrorCode GSS_UP_S_G_UNSPECIFIED = 1;
// the user identified in the username field of
// the GSSUP::InitialContextToken is unknown to the target
const ErrorCode GSS_UP_S_G_NOUSER = 2;
// the password supplied in the GSSUP::InitialContextToken
// was incorrect
const ErrorCode GSS_UP_S_G_BAD_PASSWORD = 3;
// the target_name supplied in the GSSUP::InitialContextToken
// does not match a target_name in a mechanism definition of
// the target
const ErrorCode GSS_UP_S_G_BAD_TARGET = 4;
A TSS is under no obligation to return a GSSUP error token; however, returning
this token may facilitate the transition of the client-side GSS state machine
through error processing. Accordingly, a TSS may indicate that SAS context
validation failed in GSSUP client authentication by returning a GSSUP error
token in a SAS ContextError message. In this case, a TSS that choses not to
reveal specific information as to the cause of the failed GSSUP authentication
shall return a status value of GSS_UP_S_G_UNSPECIFIED.
[3] change table 16-9 in section 16.3.5 ContextError Values and
Exceptions as follows (ignoring the first and last columns which will
remain unchanged).
Event Semantic Major Minor
accept_context returned failure Invalid evidence 1 1
Invalid mechanism 2 1
Conflicting evidence 3 1
reference_context (N) returned false No Context 4 1
[4] Add the following IDL to section 16.9.2 Module GSSUP -
Username/Password GSSAPI Token Formats
typedef unsigned long ErrorCode;
// the context validator has chosen not to reveal
// the GSSUP specific cause of the failure.
const ErrorCode GSS_UP_S_G_UNSPECIFIED = 1;
// the user identified in the username field of
// the GSSUP::InitialContextToken is unknown to the target
const ErrorCode GSS_UP_S_G_NOUSER = 2;
// the password supplied in the GSSUP::InitialContextToken
// was incorrect
const ErrorCode GSS_UP_S_G_BAD_PASSWORD = 3;
// the target_name supplied in the GSSUP::InitialContextToken
// does not match a target_name in a mechanism definition of
// the target
const ErrorCode GSS_UP_S_G_BAD_TARGET = 4;
// GSSUP Mechanism-Specific Error Token
struct ErrorToken {
ErrorCode error_code;
};
Actions taken:
April 18, 2001: received issue
October 3, 2001: closed issue
Discussion: CSIv2 will not define a new exception minor code. The CSIv2 ContextError codes
will be modified to support future inclusion of additional and optional error
codes in the point-to-point, wire-level exchange between TSS and CSS. An error
token and minor status codes will be defined for the GSSUP mechanism.
Communicating error status from the CSS to the client app, will be defined in
the context of APIs (that is, above the wire-level interoperability defined by
the current specification).
Issue 4281: No Tokens in EstablishContext Message (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: The spec doesn't say whether or not an EstablishContext with none
of cleint authentication, identity, or authorization token is
legitimate.
I don't think we need the ability to send such mecahnisms (for
unprotected requests), as we would just send the request without a CSIv2
service context element. The only down side I can see, to writing this
empt EstbalishContext out of spec, would be that a client could not use
it to get feedback from a TSS in the form of CompleteEstablishContext,
indicating that the TSS supports CSIv2.
We must indicate that this is either an invalid msg, or state that it
must be supported (and what it's semantics should be).
Resolution: close issue with no change
Revised Text:
Actions taken:
April 24, 2001: received issue
October 3, 2001: closed issue
Discussion: Table 16-4 includes entries which correspond to empty EstablishContext
messages, so I now believe that we have adequately defined the semantics of
such messages. In retrospect, what is missing from the spec, is the protocol
behavior when CSIv2 is used without SAS. I have created a new issue (with
proposed resolution) to address that issue.
Issue 4282: Inability to specify per method target security requirements (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: The CSIv2 mechanism definition schema, soes not provide a way to
associate mechanisms with subsets of the methods of an object.
Discussion
EJB method-permissions may be associated with subsets of methods, such
that a class of EJB objects may have some protected and some unprotected
methods. Where by protection I mean, the caller must be authenticated
and be in a authorized role, to access the method. Some methods of an
EJB may be available to unauthenticated callers, while others may limit
access to only specific authenticated callers.
Given a mixed protection object, how would one define its IOR such that
it could be affectively accessed by its clients without
1. eliminating unauthenticated access to the object
that is, mark the target as authentication required
2. causing unnecessary authentications and usurping the
clients perogative to only authenticate when it is required to or
chooses to.
that is, mark the target as authentication supported and tell the
client to authenticate if it can
3. causing failed attempts because the client does not know that
the target requires authentication
that is, mark the target as authentication supported and let the
client authenticate if it wants to
Would it be appropriate to add information to the IOR, that indicates
that whether the object will check permissions, such that a client
normally operating in mode 3, would know when it would probably do
better in mode 2?
Should a CSIv2 IOR which principally defines (authentication and msg
protection mechanisms) carry additional information about the
authorization policy of the object? There is obviously some precedent
for doing so in the privilege authorities field.
Resolution: Close issue with no change as this does not apply to CSIv2
Revised Text:
Actions taken:
April 24, 2001: received issue
October 3, 2001: closed issue
Issue 4293: CSIv2 Issue: SECIOP does not have multiple addresses. (csiv2-ftf)
Click here for this issue's archive.
Source: Adiron, LLC (Mr. Polar Humenn, polar(at)adiron.com)
Nature: Uncategorized Issue
Severity:
Summary: This issue is the exactly the same issue as issue 4200, which
is for TLS (SSL) transport addresses. It notes that the
component for a SECIOP transport needs to support multiple
addresses.
The recommended solutioin to this issue is to adopt the analogous
resolution to the 4200 issue.
Resolution: Close issue with revised text.
Revised Text: Base document:
http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf
[1] Add Minor Heading Section before TAG_TLS_SEC_TRANS
Transport Address
The TransportAddress structure indicates an INTERNET address
where the TSS is listening for connection requests.
struct TransportAddress {
string host_name;
unsigned short port;
};
typedef sequence <TransportAddress> TransportAddressList;
The host_name field identifies the Internet host to which
connection requests will be made. The host_name field shall
not contain an empty string.
The port field contains the TCP/IP port number (at the specified
host) where the TSS is listening for connection requests. The
port number shall not be zero.
[2] Replace paragraph 133 with the following:
The SECIOP_SEC_TRANS structure defines the transport addresses for SECIOP
messages, the association options pertaining to the particular GSS
mechanism being supported, the GSS mechanism identifier, and the target's
GSS exported name.
[3] Change the IDL for SECIOP_SEC_TRANS after paragraph 133 to the following:
struct SECIOP_SEC_TRANS {
AssociationOptions target_supports;
AssociationOptions target_requires;
CSI::OID mech_oid;
CSI::GSS_NT_ExportedName target_name;
TransportAddressList addresses;
};
[4] Add the following paragraph following the IDL after paragraph 133:
The addresses field provides a shorthand for defining multiple security
mechanisms that differ only in their transport addresses. The addresses
field shall contain at least one address.
[5] Add the following IDL for TransportAddress 16.9.4 on page 16-65
after the definition of CompoundSecMechList:
struct TransportAddress {
string host_name;
unsigned short port;
};
typedef sequence <TransportAddress> TransportAddressList;
[6] Change the IDL for SECIOP_SEC_TRANS in section 16.9.4 on page 16-65 to the
following:
struct SECIOP_SEC_TRANS {
AssociationOptions target_supports;
AssociationOptions target_requires;
CSI::OID mech_oid;
CSI::GSS_NT_ExportedName target_name;
TransportAddressList addresses;
};
Actions taken:
May 3, 2001: received issue
October 3, 2001: closed issue
Discussion: We add a minor section describing a TransportAddress structure with wording
close to that of the IIOP profile on page 15-50 of CORBA 2.3. formal/99-10-07.
We also add a typedef for a sequence of these structures. We change the
SECIOP_SEC_TRANS structure to use a list of these addresses.
Issue 4308: The encoding of GSSUP ICT's is not clearly specified (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: Document: http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf
Isuse: The encoding of GSSUP ICT's is not clearly specified
Para 48 states:
[48] The format of a GSSUP initial context token shall be as defined in
[IETF RFC 2743]
Section 3.1, “Mechanism-Independent Token Format,” pp. 81-82. This
GSSToken shall
contain an ASN.1 tag followed by a token length, an authentication
mechanism
identifier, and a CDR encoded sequence of octets corresponding to a
GSSUP inner
context token as defined by the type GSSUP::InitialContextToken in
Section 16.9.2,
“Module GSSUP - Username/Password GSSAPI Token Formats,” on page 16-59
(and
repeated below).
and section
16.9.2 Module GSSUP - Username/Password GSSAPI Token Formats
states
// The following structure defines the inner contents of the username
// password initial context token. This structure is CDR encoded in a
// sequence of octets and appended at the end of the username/password
// GSS (initial context) Token.
struct InitialContextToken {
CSI::UTF8String username;
CSI::UTF8String password;
CSI::GSS_NT_ExportedName target_name;
};
Proposed Resolution:
Change para 148 to the following:
[48] The format of a GSSUP initial context token shall be as defined in
[IETF RFC 2743]
Section 3.1, “Mechanism-Independent Token Format,” pp. 81-82. This
GSSToken shall
contain an ASN.1 tag followed by a token length, an authentication
mechanism
identifier, and an encapsulation octet stream containing a CDR encoded
GSSUP inner
context token as defined by the type GSSUP::InitialContextToken in
Section 16.9.2,
“Module GSSUP - Username/Password GSSAPI Token Formats,” on page 16-59
(and
repeated below).
change the relevant comment in
16.9.2 Module GSSUP - Username/Password GSSAPI Token Formats
to the following
// The following structure defines the inner contents of the username
// password initial context token. This structure is CDR encoded in an
// encapsulation octet stream and appended at the end of the
username/password
// GSS (initial context) Token.
Resolution: Close issue with revised text.
Revised Text: [1] Change the description of an initial context token in para 48 to
The format of a GSSUP initial context token shall be as defined in [IETF RFC
2743] Section 3.1, "Mechanism-Independent Token Format," pp. 81-82.
This GSSToken shall contain an ASN.1 tag followed by a token length, an
authentication mechanism identifier, and a CDR encapsulation containing a
GSSUP inner context token as defined by the type GSSUP::InitialContextToken in
Section 16.9.2, "Module GSSUP - Username/Password GSSAPI Token
Formats," on page 16-59 (and repeated below).
[2] Change the description of a GSSUP ICT in module 16.9.2 to
// The following structure defines the inner contents of the username
// password initial context token. This structure is CDR encapsulated
// and appended at the end of the username/password GSS (initial
// context) Token.
[3] Add a new paragraph after para 49.
The format of the name passed in the username field depends on the
authentication domain. If the mechanism identifier of the target domain is
GSSUP, then the format of the username shall be a Scoped-Username (with
name_value) as defined in section 16.2.5, Scoped-Username GSS Name Form.
Actions taken:
May 15, 2001: received issue
October 3, 2001: closed issue
Issue 4326: CSIv2 TSS state machine lacks states to enforce target policy for (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: While in state "Waiting for Request", The TSS state machine will accept
an unprotected request, without consideration of the target CSIv2
security policy.
Also the specification does not describe what is supposed to happen when
a target's mechanism definitions/policy requires SAS (i.e. client
authentication) and the CSS does not send an EC.
Resolution: Close issue with revised text.
Revised Text: Base document:
http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf
[1] modify the TSS state table
Change event "receive unprotected request" in state Waiting for
Request to "receive request without SAS message"
Change action when in state Waiting for Request, and event is "receive
request without SAS message" to accept_transport_context() with no
arguments.
Change new state when in state Waiting for Request, and event is
"receive request without SAS message" to Verify Transport Context.
Create new state, "Verify Transport Context" and add it to the TSS
table.
In state "Verify Transport Context", if event is
"accept_transport_context() returned success", action shall be
"process request", and new state shall be "Send Only
Reply".
In state "Verify Transport Context", if event is
"accept_transport_context() returned failure", action shall be
"send exception (NO_PERMISSION)", and new state shall be
"Waiting for Request".
Increment state numbers of all states following Send Only Reply, to accomodate
insertion of new state, Verify Transport Context".
For the corrected TSS state machine see the attachment, fix-tss-protocol.PDF
The TSS state diagram will be changed to agree with the state table.
The corrected CSS state machine is also available at:
Revised TSS State Machine
[2] in para 108, add a description of accept_transport_context (after accept_context).
o accept_transport_context()
This action validates that a request that arrives without a SAS protocol
message (i.e. EstablishContext or MessageInContext) satisfies the CSIv2
security requirements of the target object. This routine returns true if the
transport layer security context (including none) over which the request was
delivered satisfies the security requirements of the target object. Otherwise,
accept_transport_context returns false. When accept_transport_context returns
FALSE, the TSS shall reject the request and send a NO_PERMISSION seception.
[3] Modify the CSS state table
In state "Waiting for Context" and a new event
"get_context_element returned NULL" with action "send
request" and new State "Wait for Reply"
For the corrected CSS state machine see the attachment, fix-css-protocol.PDF
The CSS state diagram will be changed to agree with the state table.
The corrected CSS state machine is also available at:
Revised CSS State Machine
[4] In para 113 extend the description of get_context_element to
describe the circumstances under which this routine may return a NULL
SAS protocol context elememt.
get_context_element(c, policy, creds, mech, Out element)
In the scope of connection c, use the client creds to obtain a SAS
protocol context element that satisfies the client policy and the target
policy in the mechanism. If the CSS supports reusable contexts, and the
client policy is to establish a reusable context, the CSS allocates a
client_context_id, and initializes a context element in the context
table of the connection. A NULL context element may be returned by
get_context_element when the target mechanism definition either does not
support or require SAS layer security functionality, and the client
establishes a policy not to use such functionality unless required to do so.
[5] Modify table 16-4 to reintroduce the two rows that descibe CSIv2
invocations where all the security functionality is performed in the
transport. Move column 1, to follow 3, and then introduce two new rows
as follows:
Row 13. Transport Client Principal = none
Staddle SAS Client Authentication principal and SAS identity Token
Identity and fill combined cell with "No SAS Message"
Client Principal is trusted = Not Applicable
Invocation Principal = Anonymous
Scenario = Unathenticated
Row 14. Transport client Principal = P2
Staddle SAS Client Authentication principal and SAS identity Token
Identity and fill combined cell with "No SAS Message"
Client Principal is trusted = Not Applicable
Invocation Principal = P2
Scenario = client authentication
For consistency make the same change to the columns in tables 16-3, and
16-5, without adding any new rows.
The corrected principal interpretation tables are contained in the third
attachment: request-principal-tables.PDF and at
Revised Principal Interpretation Tables
Actions Taken:
Actions taken:
May 30, 2001: received issue
October 3, 2001: closed issue
Issue 4327: clarification of csiv2 stateful conformance requirements (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: The specification is currently weak on its description of what must
be done by a TSS with respect to designating a "stateful" value in its
IOR's, and in defining under what circumstances a TSS may claim stateful
conformance. In particular, the spec does not currently state whether or
not a TSS must be stateful for all of its mechanism definitions, at all
of its target objects in order to claim stateful conformance. The
following paragraphs should be included to clarify these two issues.
Resolution: Close issue with revised text
Revised Text: Base document:
http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf
[1] Add the following new para after para 140,
A TSS shall set the stateful bit to FALSE in the CompoundSecMechList
structure of IORs corresponding to target objects at which it will
not accept reusable security contexts.
Actions Taken:
Actions taken:
May 30, 2001: received issue
October 3, 2001: closed issue
Discussion: the thing that is missing in the doc, is that we do not currently
have anything that says a TSS is required to set the stateful bit.
[99] A TSS that supports stateful contexts may negotiate a request to
establish a stateful context to a stateless context in order to preserve
resources. It may do so only if it does not already have an established
matching stateful context.
[100] Conversely, a stateful TSS that has negotiated a request to
stateless may respond statefully to a subsequent context with the same
(non-zero) client_context_id.
We have a description of what the bit means (in para 140) which focuses
on what a TRUE value means. Perhaps you are saying that we need a
description of what a FALSE value means. My sense is that the FALSE
semantics are clear enough.
[140] A value of TRUE in the stateful field of the CompoundSecMechList
structure indicates that the target supports the establishment of
stateful or reusable SAS contexts. This field is provided to assist
clients in their selection of a target that supports stateful contexts.
It is also provided to sustain implementations that serialize stateful
context establishment on the client side as a means to conserve precious
server-side authentication capacity.10
10.This serialization is only done when an attempt is being made to
establish a stateful context.
The last part of 140 says that if the stateful bit is true, some CSS
implementations will not send multiple concurrent requests to establish
the same stateful context. This design changes the multithreaded nature
of the client app (for the round-trip time of one request) in exchange
for not wasting the resources of the TSS. What it really says is that
the serialization is acceptable if it only occurs when the bit is true,
as one way or another, multiple requests should be serialized until the
stateful context is established. In one design the serialization happens
at the CSS, and in the other (if it occurs, it is done) at the TSS. This
hint, was strongly argued for, because without it CSS side serialization
would be at a disadvantage because it would happen in too many cases
where it could come to no benefit.
We have decided to let the (stateful) conformance statements stand as
they are written.
Resolution:
Issue 4330: How to Partition the AuthorizationElementType regarding vendor extensions (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: We should define how the namespace of AuthorizationElementType
identifiers (used in authorization tokens) is to be partitioned
so that individual vendors have some identifiers reserved for
their use (i.e. the definition of vendor specific type identifiers).
Resolution: Close issue with revised text.
Revised Text: base document: http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf
[1] add the definition of the OMG VMCID constant to section 16.9.3 Module CSI
(Note that this change was also proposed as part of the resolution to issue 4268).
// The OMG VMCID; same value as CORBA::OMGVMCID. Do not change ever.
const unsigned long OMGVMCID = 0x4F4D0;
[2] Add two new paragraphs following para 32.
The high order 20-bits of each AuthorizationElementType constant
shall contain the Vendor Minor Codeset ID (VMCID) of the
organization that defined the element type. The low order 12 bits
shall contain the organization-scoped element type identifier. The
high-order 20 bits of all element types defined by the OMG shall
contain the VMCID allocated to the OMG (that is, 0x4F4D0).
Organizations must register their VMCIDs with the OMG before
using them to define an AuthorizationElementType.
[3] Add the following comment in front of the definition of the
AuthorizationElementType in section 16.9.3 Module CSI
// The high order 20-bits of each AuthorizationElementType constant
// shall contain the Vendor Minor Codeset ID (VMCID) of the
// organization that defined the element type. The low order 12 bits
// shall contain the organization-scoped element type identifier. The
// high-order 20 bits of all element types defined by the OMG shall
// contain the VMCID allocated to the OMG (that is, 0x4F4D0).
[4] change the defintion of the X509AttributeCertChain constant in
a. the IDL following para 32
b. in section 16.9.3 Module CSI
to:
const AuthorizationElementType X509AttributeCertChain = OMGVMCID | 1;
[5] remove the definition of the ORGVMCID constant and accompanying
comment from:
a. the IDL following para 147 (what was the first para following the
heading struct SAS_ContextSec)
b. section 16.9.4 Module CSIIOP
that is, remove the following:
// The OMG VMCID; same value as CORBA::OMGVMCID. Do not change ever.
const unsigned long OMGVMCID = 0x4F4D0;
[6] change the defintion of the ServiceConfigurationSyntax constants in
a. the IDL following para 147 (what was the first para following the
heading struct SAS_ContextSec)
b. in section 16.9.4 Module CSIIOP
to:
const ServiceConfigurationSyntax SCS_GeneralNames = CSI::OMGVMCID | 0;
const ServiceConfigurationSyntax SCS_GSSExportedName = CSI::OMGVMCID | 1;
Actions taken:
June 1, 2001: received issue
October 3, 2001: closed issue
Discussion: The resolution to Issue 4268 (How to Partition the ServiceConfiguration syntax
space to support vendor specific extensions) should be applied to the
AuthorizationElementType identifier.
This resolution also corrects an error in the resolution to issue 4268 as
described in items 5 and 6. It consists mainly of declaring the OMGVMCID
constant in the CSI module instead of in the CSIIOP module as was originally
done in the resolution for 4268.