Issues for Common Secure Interoperability Version 2 RTF mailing list
To comment on any of these issues, send email to [email protected]. (Please include the issue number in the Subject: header, thusly: [Issue ###].) To submit a new issue, send email to [email protected].
List of issues (green=resolved, yellow=pending Board vote, red=unresolved)
Issue 3906: CSIv2 Protocol Jira Issue CSIV2-1
Issue 3922: GSSUP Names are inconsistent other security mechanisms. Jira Issue CSIV2-2
Issue 3932: Service ID missing Jira Issue CSIV2-3
Issue 3948: GSSUP names are incompatible with the Identity Token Jira Issue CSIV2-4
Issue 3972: Format of GSSUP GSS exported name object undefined Jira Issue CSIV2-5
Issue 3973: inconsistent definition of target_name field Jira Issue CSIV2-6
Issue 3974: CSIv2 IOR Tagged component Identifier values Jira Issue CSIV2-7
Issue 3975: INVALID recommended cipher suites Jira Issue CSIV2-8
Issue 4118: Multiple Privilege Authorities and Supported Naming Types Jira Issue CSIV2-9
Issue 4141: ISL changes to break dependency on Security and SECIOP modules Jira Issue CSIV2-10
Issue 4142: Module suggestions Jira Issue CSIV2-11
Issue 4143: OIDs Jira Issue CSIV2-12
Issue 4200: Module SSLIOP Does Not Contain Host Jira Issue CSIV2-13
Issue 4221: Issue: inconsistent definition of AuthorizationToken Jira Issue CSIV2-14
Issue 4268: How to Partition the ServiceConfiguration syntax space to support vendor sp Jira Issue CSIV2-15
Issue 4277: New minor codes for NO_PERMISSION Exception in CSIv2 Jira Issue CSIV2-16
Issue 4281: No Tokens in EstablishContext Message Jira Issue CSIV2-17
Issue 4282: Inability to specify per method target security requirements Jira Issue CSIV2-18
Issue 4293: CSIv2 Issue: SECIOP does not have multiple addresses. Jira Issue CSIV2-19
Issue 4308: The encoding of GSSUP ICT's is not clearly specified Jira Issue CSIV2-20
Issue 4326: CSIv2 TSS state machine lacks states to enforce target policy for Jira Issue CSIV2-21
Issue 4327: clarification of csiv2 stateful conformance requirements Jira Issue CSIV2-22
Issue 4330: How to Partition the AuthorizationElementType regarding vendor extensions Jira Issue CSIV2-23
Issue 3906: CSIv2 Protocol (csiv2-ftf)
Click here for this issue's archive.
Source: Syracuse University (Dr. Polar Humenn, polar(at)adiron.com)
Nature: Uncategorized Issue
Severity:
Summary:
ssue on Document orbos/2000-08-04, CSIv2 Joint Submission: Document: orbos/2000-08-04 CSIv2 Joint Submmission Subject: Protocol and IOR incompatabilities for Identity Assertion Severity: Critical Summary: The CSIv2 protocol is too vague on acceptance of identity tokens. This yeilds an uneeded and unwarranted complexity in implemenations. Vague protocols are not a good idea. It limits interoperability. Discussion: In the IOR, the CSIv2 protocol states a list of OIDs signifying the acceptable forms of an IdentityToken delivered by the client. This list of acceptable name forms is stated only to apply to GSS_NT_ExportedName types. There are no OIDs signifying that an X.501 DN or X.509 Public Key Certificate are acceptable. It seems that the specification is written so that both X.501 DNs and X.509 Certificate chains are always acceptable. This requirement would cause all clients to send only X.501 DNs or X.509 Certificate Chains, regardless of the server listing its acceptable name types. Also, there is no indication of which of an X.501 DN or X.509 Public Key Certificate Chain is desirable. This is vague. It is completely unwarranted to tell all CSI mechanisms that they must support X.509 DNs or X.509 Certificate chains. These name forms may not be relevant to the mechanism at all. The mechanism may not support public key technology, have facility for verification of certificates, may not be able to parse X.501 DNs or X.509 Certificate Chains, and further more, but not least, the security mechanism may not know what to do with it. One example, might be an TCPIP CSI mechanism that only wants to accept Kerberos principal names, Unix user names, or NT user names. DNs or Certificate Chains are irrelevant. With that in mind, a client should not be allowed to send the server an X.509 certificate chain or an X.501 DN at it. Those name forms are not acceptable to the server. The easiest way around this problem is to allocated OIDs under the OMG OID that signify the acceptance of each of the X.509 DNs and X.509 Public Key Certificate chains. Servers that accept X.501 DNs and X.509 Public Key Certificate chains for identity assertion shall list the appropriate OIDs in the IOR.
Resolution: Apply revised text and close issue
Revised Text: Base document: http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf [1] Replace the paragraph 53, which starts with "A target that supports identity assertion shall ...", with the following: When a TSS rejects a request because it carries an identity token constructed using an identity type or naming mechanism that is not supported by the target, the TSS shall return a ContextError service context element containing major and minor status codes indicating the mechanism was invalid. [2] In the CSI Module page 16-61, change the last two of the IdentityTokenType constants, such that they are powers of 2, for use in a bitmap. Also, change its type definition to an unsigned long and add the comment as follows: typedef unsigned long IdentityTokenType; // Additional standard identity token types shall only be defined by the // OMG. All IdentityTokenType constants shall be a power of 2. const IdentityTokenType ITTAbsent = 0; const IdentityTokenType ITTAnonymous = 1; const IdentityTokenType ITTPrincipalName = 2; const IdentityTokenType ITTX509CertChain = 4; const IdentityTokenType ITTDistinguishedName = 8; [3] On page 16-46 and in the CSIIOP module IDL section on page 16-65, add a new field called "supported_identity_types" to the SAS_ContextSec structure, such that it is defined as follows: struct SAS_ContextSec{ AssociationOptions target_supports; AssociationOptions target_requires; sequence <ServiceConfiguration> privilege_authorities; CSI::OIDList supported_naming_mechanisms; CSI::IdentityTokenType supported_identity_types; }; [4] Replace para 149 with the following: (the section reference is actually a cross reference, in which case it may change in detail based on other changes to the document). The supported_naming_mechanisms field shall contain a list of 0 or more GSS mechanism OIDs. A TSS shall set the value of this field to contain the GSS mechanism OIDs for which the target supports identity assertions using an identity token of type ITTPrincipalName. The Identity token types are defined in Section 16.2.5, "Identity Token Format," on page 16-17. [5] Add the following new paragraphs after the new para 149: The value of the supported_identity_types field shall be the bitmapped representation of the set of identity token types for which the target supports. The target always supports ITTAbsent. The value in supported_identity_types shall be non-zero if and only if the IdentityAssertion bit is non-zero in target_supports. The bit corresponding to the ITTPrincipalName identity token type shall be non-zero in supported_identity_types if and only if the value in supported_naming_mechanisms contains at least one element. [6] In section 16.9.3 (the CSI module idl) add the IdentityExtension typedef and add a default selector to the IdentityTokenType union as follows: typedef sequence <octet> IdentityExtension; union IdentityToken switch ( IdentityTokenType ) { case ITTAbsent: boolean absent; case ITTAnonymous: boolean anonymous; case ITTPrincipalName: GSS_NT_ExportedName principal_name; case ITTX509CertChain: X509CertificateChain certificate_chain; case ITTDistinguishedName: X501DistinguishedName dn; default: IdentityExtension id; }; [7] after paragraph 50 add the following new paragraphs: In addition to the identity token types described in the following table, the IdentityTokenType as defined in Section 16.9.3, "Module CSI - Common Secure Interoperability," provides for the definition of additional CSIv2 identity token types through the default selector of the IdentityToken union type. Additional standard identity token types shall only be defined by the OMG. All IdentityTokenType constants shall be a power of 2.
Actions taken:
September 20, 2000: received issue
October 3, 2001: closed issue
Issue 3922: GSSUP Names are inconsistent other security mechanisms. (csiv2-ftf)
Click here for this issue's archive.
Source: Syracuse University (Dr. Polar Humenn, polar(at)adiron.com)
Nature: Uncategorized Issue
Severity: Minor
Summary: Document: orbos/2000-08-04 CSIv2 Joint Submission Subject: GSSUP Names are inconsistent other security mechanisms. Severity: Medium Summary: The names supplied in the InitialContextToken for the UserName password scheme invents a name type called a Security::ScopedName. This is just yet another name type that must be dealt with and is completely inconsistent with anything else used for names. The contents of the scope and the name are underspecified. Discussion: The structure should allow for all forms of name types. The easiest way to do accomplish consistency is to use a GSS exported Name type. struct InitialContextToken { Security::GSS_NT_ExportedName username; Security::UTF8String password; }; That way a password database can even store names that are DN's, X509GeneneralNames, Kerberos Names, NT Usernames, etc.
Resolution: Close issue with revised text
Revised Text: The following modifications are presented against document http://cgi.omg.org/pub/csiv2-ftf/csiv2-0117011.pdf. with the assumption that the resolution of Issue 4141 has been applied. (Moving GSS_NT_ExportedName from Security to CSI). [1] Change the IDL between paragraphs 48 and 49 to the following: // GSSUP::InitialContextToken struct InitialContextToken { CSI::UTF8String username; CSI::UTF8String password; CSI::GSS_NT_ExportedName target_name; }; [2] Replace paragraph 49 with the following. The target_name field of the GSSUP::InitialContextToken contains the name of the authentication domain in which the client is authenticating. This field aids the TSS in processing the authentication should the TSS support several authentication domains. A CSS shall fill the target_name field of the GSSUP::InitialContextToken with the contents of the target_name field of the CSIIOP::AS_ContextSec structure of the chosen CSI mechanism. [3] In Section 16.9.5, Module GSSUP change the definition InitialContextToken to the following: struct InitialContextToken { CSI::UTF8String username; CSI::UTF8String password; CSI::GSS_NT_ExportedName target_name; }; [4] In Section 16.9.5, Remove all extraneous definitons from the GSSUP module. Resolution to Issue 4141 introduces NameValue and ScopedName to the GSSUP module, which were moved from the Security Module.
Actions taken:
September 28, 2000: received issue
October 3, 2001: closed issue
Issue 3932: Service ID missing (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: CSIV2 service context element, SecurityAttributeService, must be assigned a service id. Description: const ServiceId SecurityAttributeService = xx; A numerical value must be reserved within the OMG service id space to identify CSIv2 service context elements. The value will replace the temporary value ("xx") appearing in the submission. Discussion: Proposed Solution: const ServiceId SecurityAttributeService = 15;
Resolution: No action needed from the FTF, purely administrative
Revised Text:
Actions taken:
October 3, 2000: received issue
October 3, 2001: closed issue
Issue 3948: GSSUP names are incompatible with the Identity Token (csiv2-ftf)
Click here for this issue's archive.
Source: Syracuse University (Dr. Polar Humenn, polar(at)adiron.com)
Nature: Uncategorized Issue
Severity: Critical
Summary: The name type used in the GSSUP mechanism for Client Authentication over the transport name type is not convertible to anything used by the Identity Token. This situation becomes a problem when on the server side where you need to quote, (i.e. identity assert) the client's authenticated identity to another CSIv2 CORBA outcall on behalf of the client.
Resolution: Close issue as duplicate of 3922
Revised Text:
Actions taken:
October 13, 2000: received issue
October 3, 2001: closed issue
Discussion: The solution is to change the GSSUP name type to a GSS_NT_ExportedName form, where it can easily be lifted. This is also the subject of another previous issue raised about GSSUP name types. This solution will solve both problems.
Issue 3972: Format of GSSUP GSS exported name object undefined (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: Document: orbos/2000-08-04 CSIv2 Final Submission Issue: Format of GSSUP GSS mechanism-independent exported name object, a special form of "flat" name as described below, is not defined. Description: >From RFC 2473 section 1.1.5 Naming > Different classes of name representations are used in conjunction > with different GSS-API parameters: > > - Internal form (denoted in this document by INTERNAL NAME), > opaque to callers and defined by individual GSS-API > implementations. GSS-API implementations supporting multiple > namespace types must maintain internal tags to disambiguate the > interpretation of particular names. A Mechanism Name (MN) is a > special case of INTERNAL NAME, guaranteed to contain elements > corresponding to one and only one mechanism; calls which are > guaranteed to emit MNs or which require MNs as input are so > identified within this specification. > > - Contiguous string ("flat") form (denoted in this document by > OCTET STRING); accompanied by OID tags identifying the namespace > to which they correspond. Depending on tag value, flat names may > or may not be printable strings for direct acceptance from and > presentation to users. Tagging of flat names allows GSS-API > callers and underlying GSS-API mechanisms to disambiguate name > types and to determine whether an associated name's type is one > which they are capable of processing, avoiding aliasing problems > which could result from misinterpreting a name of one type as a > name of another type. > > - The GSS-API Exported Name Object, a special case of flat name > designated by a reserved OID value, carries a canonicalized form > of a name suitable for binary comparisons.
Resolution:
Revised Text: Resolution: Define a "flat name" type OID and format. It would also be good to have these OIDs specified somewhere. We can do that in IDL with string constants, using dot notation for OIDs Close issue with revised text. Revised Text: The following modifications are presented against document http://cgi.omg.org/pub/csiv2-ftf/csiv2-0117011.pdf with the assumption that the resolution of Issue 4141 has been applied, i.e. Moving GSS_NT_ExportedName from Security to CSI, and the assumption that the resolution of Issue 4143 has been applied, i.e. creation of the CSI::StringOID type. [1] Add the following at the end (following para 54) of section 15.2.5 Identity Token Format GSS Exported Name Object Form for GSSUP Mechanism. The mechanism OID within the exported name object shall be that of the GSSUP mechanism. {iso-itu-t (2) international-organization (23) omg (130) security (1) authentication (1) gssup-mechanism (1)} The name component within the exported name object shall be a contiguous string conforming to the syntax of the scoped-username GSS name form. The encoding of GSS mechanism-independent exported name objects is defined in [IETF RFC 2743]. Scoped-Username GSS Name Form The scoped-username GSS name form is defined as follows, where name_value and name_scope contain a sequence of 1 or more UTF8 encoded characters. scoped-username ::= name_value | name_value@name_scope | @name_scope The '@' character shall be used to delimit name_value from name_scope. All non-delimiter instances of '@' and all non-quoting instances of '\' shall be quoted with an immediately-preceding '\'. Except for these cases, the quoting character, '\', shall not be emitted within a scoped-username. The Object Identifier corresponding to the GSS scoped-username name form is: {iso-itu-t (2) international-organization (23) omg (130) security (1) naming (2) scoped-username(1)} [2] Insert the following definitions in Section 16.9.6, Module CSI, after the definition of GSS_NT_ExportedNameList. // The GSS Object Identifier for the KRB5 mechanism is: // // { iso(1) member-body(2) United States(840) mit(113554) // infosys(1) gssapi(2) krb5(2) } const StringOID KRB5MechOID = "oid:1.2.840.113554.1.2.2"; // The GSS Object Identifier for name objects of the // Mechanism-idependent Exported Name Object type is: // {iso(1) org(3) dod(6) internet(1) security(5) // nametypes(6) gss-api-exported-name(4)} const StringOID GSS_NT_Export_Name_OID = "oid:1.3.6.1.5.6.4"; // The GSS Object Identifier for the scoped-username name form is: // {iso-itu-t (2) international-organization (23) omg (130) // security (1) naming (2) scoped-username(1)} const StringOID GSS_NT_Scoped_Username_OID = "oid:2.23.130.1.2.1";
Actions taken:
October 19, 2000: received issue
October 3, 2001: closed issue
Discussion: Section 3.5 of the CSIv2 document describes Identity Tokens, however it did not describe the format of the "name blob" (that is the part following the mechanism OID and length) within a GSSUP Exported Name Object.
Issue 3973: inconsistent definition of target_name field (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: Document: orbos/2000-08-04 CSIv2 Final Submission Issue: target_name(s) field of struct AS_ContextSec is defined and described inconsistently in various places in the submission. Description: In section 6.1.4.1 this field is defined as sequence <Security::GSS_NT_exportedName> target_names; and defined as a list of target names. In the IDL in section B.7 this field is defined as sequence <Security::GSS_NT_exportedName> target_name; There are other places in the document where the singular form of this field name is used, including in the examples of the scenarios chapter. Proposed Solution: The change of this field to a list was not necessary, as it is difficult to make a case for requiring multiple target names within a single mechanism (as there is a multiple mechanism workaround). We should at least fix the inconsitencies in the document. If we keep the ability to express multiple targets, then we should also say something about the semantics of position in the list. The prefered solution would be to revert back to the singular form. Security::GSS_NT_exportedName target_name; and fix all references to this field accordingly.
Resolution: Make it singular. Close issue with revised text.
Revised Text: The following modifications are presented against document http://cgi.omg.org/pub/csiv2-ftf/csiv2-0117011.pdf. with the assumption that the resolution of Issue 4141 has been applied. (Moving OID and GSS_NT_ExportedName from Security to CSI). [1] Change the IDL between para 138 and 139 to the following: struct AS_ContextSec{ AssociationOptions target_supports; AssociationOptions target_requires; CSI::OID client_authentication_mech; CSI::GSS_NT_ExportedName target_name; }; [2] Change para 141 to read: The target uses the target_name field to make its security name and or authentication domain available to clients. This information may be required by the client to obtain or construct (depending on the mechanism) a suitable initial context token. [3] Change the IDL definition of AS_ContextSec in Section 16.9.7, Module CSIIOP to the following: struct AS_ContextSec{ AssociationOptions target_supports; AssociationOptions target_requires; CSI::OID client_authentication_mech; CSI::GSS_NT_ExportedName target_name; };
Actions taken:
October 19, 2000: received issue
October 3, 2001: closed issue
Issue 3974: CSIv2 IOR Tagged component Identifier values (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: Document: orbos/2000-08-04 CSIv2 Final Submission Issue: tagged component identifier values must be assigned for components TAG_NULL_TAG, TAG_CSI_SEC_MECH_LIST, and TAG_SECIOP_SEC_TRANS. Description: const IOP::ComponentId TAG_CSI_SEC_MECH_LIST = aa; const IOP::ComponentId TAG_NULL_TAG = bb; const IOP::ComponentId TAG_SECIOP_SEC_TRANS = cc; Numerical values must be reserved within the OMG tag list to identify these new tagged components. These values will replace the temporary values, "aa", "bb", and "cc" appearing in the submission. Discussion: Proposed Solution: const IOP::ComponentId TAG_CSI_SEC_MECH_LIST = 33; const IOP::ComponentId TAG_NULL_TAG = 34; const IOP::ComponentId TAG_SECIOP_SEC_TRANS = 35;
Resolution: editorial, close issue
Revised Text:
Actions taken:
October 19, 2000: received issue
October 3, 2001: closed issue
Discussion: TAG values for aforementioned constants allocated by OMG and incorporated in the IDL editorially.
Issue 3975: INVALID recommended cipher suites (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: Document: orbos/2000-08-04 CSIv2 Final Submission Issue: Section "5.2.1" Recommended SSSL/TLS Ciphersuites" incorrectly names 4 cipher suites. Description: The first 4 cipher suites in the recommended list do not exist as they were named. The invalid appearing in this list are: TLS_RSA_EXPORT_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_RC4_128_MD5 TLS_DHE_DSS_EXPORT_WITH_DES_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES_CBC_SHA Proposed Solution: Replace the invalid names listed above with the following: TLS_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_MD5 TLS_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA
Resolution: Make the replacements as suggested above.
Revised Text:
Actions taken:
October 19, 2000: received issue
October 3, 2001: closed issue
Issue 4118: Multiple Privilege Authorities and Supported Naming Types (csiv2-ftf)
Click here for this issue's archive.
Source: Syracuse University (Dr. Polar Humenn, polar(at)adiron.com)
Nature: Uncategorized Issue
Severity:
Summary: Multiple privilege authorities and multiple naming types yield combinatorial problems for the client. Discussion: This issue is sort of in the same regards to Issue 3973 where Ron thinks that having multiple target_name(s) in the AS_ContextSec is a bad idea, of which I agree. The type of the privilege_authorities field in the CSIIOP::SAS_ContextSec structure sequence<ServiceConfiguration>. It suffers the same problem, especially when combined with multiple supported naming types. It is completely hard to determine having multiple privilege authorities and the names that must be used to assert the identity for the privileges. In fact, the client may get back an AuthorizationToken that he doesn't understand, but will need to assert an identity for it's use, quite possibly with endorsement. Having multiple naming types supported per privilege authority is fine, but combine that with multiple ones, and you may get a decision problem for the client. It is better to be able to specify a one-to-one correspondence, locking down the combinations that a server will accept, and the client doesn't have to do any mucking about deciding what will work. Proposed Solution: Singularize the privilege authorities field. Unfortunately IDL has a hard time making a singular field become optional without doing something bizzare, such as: switch(boolean) { true: ServiceConfiguration privilege_authority } which requires a new type, etc. I have two proposals: Proposal 1: We signularize the field in name, i.e. "privilege_authority". Keep the sequence definition. However, stating in the specification at most one must be contained. This can be hinted at as well in IDL. struct SAS_ContextSec{ Security::AssociationOptions target_supports; Security::AssociationOptions target_requires; sequence <ServiceConfiguration,1> privilege_authority; sequence <Security::OID> supported_naming_mechanisms; }; Proposal 2: We specify a ServiceConfigurationSyntax tag for "none", and specify that the sequence of octet associated with it is empty. // Corresponding ServiceName for the SCS_None Syntax should be an empty // sequence octets. const ServiceConfigurationSyntax SCS_None = -1; struct SAS_ContextSec{ Security::AssociationOptions target_supports; Security::AssociationOptions target_requires; ServiceConfiguration privilege_authority; sequence <Security::OID> supported_naming_mechanisms; }; For efficiency I'm in favor of the second approach, because I can just look a the ServiceConfiguration::syntax field and know what to do. The first proposal causes me to look at the length first, index to the first element in the array, and then look at the syntax field. As an aside, I also wouldn't mind changing the sequence<Security::OID> type into a Security::OIDList, but that can be the subject of another issue. Also note, to be specific with the document I am pointing to, I used the "Security" definitions. Hopefully, we will follow one proposal to change the Security::AssociationOptions to CSIIOP::AssociationOptions and Security::OID and Security::OIDList to CSI::OID and CSI::OIDList respectively.
Resolution: Close issue with revised text.
Revised Text: Base document: http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf [1] Replace Paragraph 148 with the following two paragraphs: The privilege_authorities field contains a sequence of zero or more ServiceConfiguration elements. A non-empty sequence indicates that the target supports the CSS delivery of an AuthorizationToken, which is delivered in the EstablishContext message. A CSS shall not be required to look beyond the first element of this sequence unless required by the first element. The syntax field within the ServiceConfiguration element identifies the format used to represent the authority. Two alternative formats are currently defined: an ASN.1 encoding of the GeneralNames (as defined in [IETF RFC 2459]) which identify a privilege authority, or a GSS exported name (as defined in [IETF RFC 2743] Section 3.2) encoding of the name of a privilege authority. Actions Taken:
Actions taken:
January 10, 2001: received issue
October 3, 2001: closed issue
Issue 4141: ISL changes to break dependency on Security and SECIOP modules (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: Document: orbos/2000-08-04 CSIv2 Final Submission Issue: Section "IDL" Contains dependencies on the IDL of the security specification (the SECURITY, SECIOP, and SSLIOP modules) Description: The IDL for CSIv2 is dependent on the AssociationOptions type of the SECURITY module, and proposes some new types to be added to that module. The IDL for CSIv2 also proposes some new types to be added to the the SECIOP module. The IDL for CSIv2 is dependent on the SSL module. Proposed Solution: 1. Move the AssociationOptions type out of the Security Mododule into a new base security module. (Issue for the security spec) - Make the Security Module dependent on this base security module. 2. Add new constants to AssociationOptions. 3. Add to this new base module the new types created for CSIv2 and previosly intended to be added to the security module (with the exception of the types related to type ScopedName, which will be the subject of another issue). 4. Move the new SECIOP ComponentId and tag structure for TAG_SECIOP SEC_TRANS into the CSIIOP module, thus eleiminating the CSIv2 dependence on the SECIOP module. 5. move the SSLIOP module into the CSIv2 spec. Change the SSLIOP modules dependency on the security module to a dependency on the new base security module. 6. Change All references to the SECUIRTY module in modules GSSUP, SSLIOP. CSI, and CSIIOP to references to the base security module. 7. Modify the GSSUP, CSI, and CSIIOP modules for idempotent inclusion.
Resolution: Close issue with revised text.
Revised Text: The following modifications are presented against document http://cgi.omg.org/pub/csiv2-ftf/csiv2-0117011.pdf. [1] Move definition of UTFString to CSI, and move NameValue and ScopedName to GSSUP (for now) Replace all the IDL definitions at the top of page 16-13, which are between para 48 & 49 with the following: typedef CSI::UTF8String NameValue; struct ScopedName { NameValue name_scope; NameValue name_value; }; // GSSUP::InitialContextToken struct InitialContextToken { ScopedName username; CSI::UTF8String password; }; [2] Change Reference to TAG_SSL_SEC_TRANS on page 16-29 in para 114 to TAG_TLS_SEC_TRANS. [3] Change Section Header "TAG_SSL_SEC_TRANS" on page 16-33 above para 126 to "TAG_TLS_SEC_TRANS" [4] Change all occurrences of TAG_SSL_SEC_TRANS" from para 126 thru para 128, to "TAG_TLS_SEC_TRANS". [5] Change idl between para 127 & 128 to the following: const IOP::ComponentId TAG_TLS_SEC_TRANS = 999; // TBA struct TLS_SEC_TRANS { AssociationOptions target_supports; AssociationOptions target_requires; unsigned short port; }; [6] Change the IDL between para 130 & 131 to the following: const IOP::ComponentId TAG_SECIOP_SEC_TRANS = 35; struct SECIOP_SEC_TRANS { AssociationOptions target_supports; AssociationOptions target_requires; CSI::OID mech_oid; CSI::GSS_NT_ExportedName target_name; unsigned short port; }; [7] Change the IDL between para 132 & 133, removing the "Security::" module name making the CompoundSecMech struct have the following definition: struct CompoundSecMech { AssociationOptions target_requires; IOP::TaggedComponent transport_mech; AS_ContextSec as_context_mech; SAS_ContextSec sas_context_mech; }; [8] Change the TAG_SSL_SEC_TRANS to TAG_TLS_SEC_TRANS in para 133. [9] Change the IDL between para 138 & 139 to the following: struct AS_ContextSec{ AssociationOptions target_supports; AssociationOptions target_requires; CSI::OID client_authentication_mech; sequence <CSI::GSS_NT_ExportedName> target_name; }; [10] In the IDL between para 144 and 145, change the definition of the SAS_ContextSec struct to the following: struct SAS_ContextSec{ AssociationOptions target_supports; AssociationOptions target_requires; sequence <ServiceConfiguration> privilege_authorities; CSI::OIDList supported_naming_mechanisms; }; [11] Change occurrence of TAG_SSL_SEC_TRANS to TAG_TLS_SEC_TRANS in the code after para 187 and in para 188. [12] Change occurrence of TAG_SSL_SEC_TRANS to TAG_TLS_SEC_TRANS in the code after para 189. [13] Change occurrence of TAG_SSL_SEC_TRANS to TAG_TLS_SEC_TRANS in the code after para 190. [14] Change occurrence of TAG_SSL_SEC_TRANS to TAG_TLS_SEC_TRANS in the code after para 192. [15] Change occurrence of TAG_SSL_SEC_TRANS to TAG_TLS_SEC_TRANS in the code after para 193. [16] Remove Section 16.9.2 Module Security in its entirety. [17] Remove Section 16.9.3 Module SSLIOP in its entirety. [18] Remove Section 16.9.4 Module SECIOP in its entirety. [19] Change IDL of the GSSUP mechanism to the following: #ifndef _GSSUP_IDL_ #define _GSSUP_IDL_ #include <CSI.idl> #pragma prefix "omg.org" module GSSUP { typedef CSI::UTF8String NameValue; struct ScopedName { NameValue name_scope; NameValue name_value; }; // The GSS Object Identifier allocated for the username/password mechanism is defined below. // // { iso-itu-t (2) international-organization (23) omg (130) security (1) // authentication (1) gssup-mechanism (1) } // The following structure defines the inner contents of the username password initial // context token. This structure is CDR encoded in a sequence of octets and appended // at the end of the username/password GSS (initial context) Token (see above). struct InitialContextToken { ScopedName username; CSI::UTF8String password; }; }; // GSSUP #endif [20] In Section 16.9.6 Modules CSI, Add the following to the beginning: #ifndef _CSI_IDL_ #define _CSI_IDL_ #pragma prefix "omg.org" [21] After "module CSI {" add the following lines of IDL: // An X509CertificateChain contains an ASN.1 encoded SEQUENCE // [1..MAX] OF X.509 certificates encapsulated in a sequence // of octets. The subject's certificate must come first in the // list. Each following certificate must directly certify the one // preceding it. The ASN.1 representation of Certificate is // as defined in [IETF RFC 2459]. typedef sequence <octet> X509CertificateChain; // an X.501 type name or Distinguished Name encapsulated in a sequence of octets // containing the ASN.1 encoding. typedef sequence <octet> X501DistinguishedName; // UTF-8 Encoding of String typedef sequence <octet> UTF8String; // ASN.1 Encoding of an OBJECT IDENTIFIER typedef sequence <octet> OID; typedef sequence <OID> OIDList; // A sequence of octets containing a GSStoken. Initial context tokens are ASN.1 // encoded as defined in [IETF RFC 2743] Section 3.1, "Mechanism-Independent Token // Format", pp. 81-82. Initial context tokens contain an ASN.1 tag followed by a // token length, a mechanism identifier, and a mechanism-specific // token (i.e. a GSSUP::InitialContextToken). The encoding of all other GSS tokens // (e.g. error tokens and final context tokens) is mechanism dependent. typedef sequence <octet> GSSToken; // An encoding of a GSS Mechanism-Independent Exported Name Object as defined in // [IETF RFC 2743] Section 3.2, "GSS Mechanism-Independent Exported Name Object // Format," p. 84. typedef sequence <octet> GSS_NT_ExportedName; typedef sequence <GSS_NT_ExportedName> GSS_NT_ExportedNameList; [22] Remove all 6 occurrences of "Security::" in the IDL for the CSI module. [23] Add the following line to the end of the CSI module: #endif [24] In section 16.9.7 add the following to the beginning: #ifndef _CSIIOP_IDL_ #define _CSIIOP_IDL_ #include <IOP.idl> #include <CSI.idl> #pragma prefix "omg.org" [25] In section 16.9.7, after the definition of TAG_CSI_SEC_MECH_LIST add the following IDL: // // Association Options // typedef unsigned short AssociationOptions; const AssociationOptions NoProtection = 1; const AssociationOptions Integrity = 2; const AssociationOptions Confidentiality = 4; const AssociationOptions DetectReplay = 8; const AssociationOptions DetectMisordering = 16; const AssociationOptions EstablishTrustInTarget = 32; const AssociationOptions EstablishTrustInClient = 64; const AssociationOptions NoDelegation = 128; const AssociationOptions SimpleDelegation = 256; const AssociationOptions CompositeDelegation = 512; const AssociationOptions IdentityAssertion = 1024; const AssociationOptions DelegationByClient = 2048; [26] In section 16.9.7, Replace all 5 occurrences of "Security::AssociationOptions" with "AssociationOptions". These occurrences are in the following definitions: AS_ContextSec SAS_ContextSec CompoundSecMech Replace all remaining 3 occurrences of "Security::" with "CSI::". These occurrences are in the following definitions: AS_ContextSec SAS_ContextSec [27] In section 16.9.7, replace the final "};//CSIIOP" with the following IDL: const IOP::ComponentId TAG_SECIOP_SEC_TRANS = 35; struct SECIOP_SEC_TRANS { AssociationOptions target_supports; AssociationOptions target_requires; CSI::OID mech_oid; CSI::GSS_NT_ExportedName target_name; unsigned short port; }; const IOP::ComponentId TAG_TLS_SEC_TRANS = 9999; //TBA struct TLS_SEC_TRANS { AssociationOptions target_supports; AssociationOptions target_requires; unsigned short port; }; }; //CSIIOP #endif
Actions taken:
January 10, 2001: received issue
October 3, 2001: closed issue
Discussion: Elimination of dependencies on the Security, SECIOP, and SSLIOP modules is generally felt to be a good idea. Move pertinent data definitions from Security, SECIOP, and SSLIOP into CSI module and CSIIOP module.
Issue 4142: Module suggestions (csiv2-ftf)
Click here for this issue's archive.
Source: Syracuse University (Dr. Polar Humenn, polar(at)adiron.com)
Nature: Uncategorized Issue
Severity:
Summary: In looking at it, I think CSI would make a good "base" module. Since other modules are only related to CSI, such as CSIIOP and GSSUP, I see no reason why those two modules cannot depend on CSI. Define in CSI: AssociationOptions GSSToken GSS_NT_ExportedName X509CertificateChain X501DistinguishedName As part of another issue, change the use of ScopedName in GSSUP to CSI::GSS_NT_ExportedName. As yet another issue, is to get rid of the ASN.1 dependance on X509CertificateChain and X501DistinguishedName and somehow make it consistent with the PKI spec. Or get rid of them all together, and just use ExportedName format with proper OIDs.
Resolution: Same as issue 4141
Revised Text: Same as issue 4141
Actions taken:
January 10, 2001: received issue
October 3, 2001: closed issue
Issue 4143: OIDs (csiv2-ftf)
Click here for this issue's archive.
Source: Syracuse University (Dr. Polar Humenn, polar(at)adiron.com)
Nature: Uncategorized Issue
Severity:
Summary: There is a need to define OIDs, at least one for GSSUP. However, an OID is represented by a sequence of positive integers, encoded as a octet sequence. The encoding has the property that two encodings are equivalent if and only if their definitions are equivalent (which is something ASN.1 DER is not particulary good at). We cannot define a costant in IDL for a sequence of octets. However, I've seen an number of ASN.1 compilers and it seems that the internal form of the definition of an OID is a string of natural numbers in base 10 separated by dots. This is a parseable representation, and widely used. I suggest that we introduce a definition, possibly a type, for and OID string representation. module CSI { // // An OID String Representation. // The OID is represented in dot format. // For example, "2.23.130.1.1.1". // typedef string OIDStringRep; }; module GSSUP { const OIDStringRep GSSUP_OID_DEF = "2.23.130.1.1.1"; }; This will allow ASN.1 compilers to at least map from this internal string representation if they don't already do so. What do you think? If there is consensus, I'll raise an issue, and we can resolve it.
Resolution: Close issue with revised text.
Revised Text: The following modifications are presented against document http://cgi.omg.org/pub/csiv2-ftf/csiv2-0117011.pdf. [1] Place the following into module CSI: // The following type represents the string representation // of an ASN.1 OBJECT IDENTIFIER (OID). OIDs are represented // by the string "oid:" followed by the integer base 10 // representation of the OID separated by dots. // For example, the OID signifying the OMG is represented as: // "oid:2.23.130" typedef string StringOID; [2] In Section 16.9.5 GSSUP replace the comment block starting with "// The GSS Object Identifier allocated for the username/password ..." with the following: // The GSS Object Identifier allocated for the username/password mechanism is defined below. // // { iso-itu-t (2) international-organization (23) omg (130) security (1) // authentication (1) gssup-mechanism (1) } const CSI::StringOID GSSUPMechOID = "oid:2.23.130.1.1.1";
Actions taken:
January 10, 2001: received issue
Discussion: OIDs are usually expressed in documents and programming tools as base 10 integers separated by dots, such as "2.23.130". It would be good to adopt something similar to this representation so that they can be represented as constants in IDL, as a sequence of octets does not have a constant representation in IDL. A typedef created to handle this will be: typedef string StringOID; We use the term "StringOID" because already have an "OID" type in the CSI module, and in the spirit of the CosNamingExt module, it is analogous to the "Name" and "StringName" types and their definitions.
Issue 4200: Module SSLIOP Does Not Contain Host (csiv2-ftf)
Click here for this issue's archive.
Source: Mansurus LLC (Mr. Donald Flinn, flinn(at)alum.mit.edu)
Nature: Uncategorized Issue
Severity: Critical
Summary: In some situations, e.g. a multi-homed system, there would have to be a profile for each port number supported by SSL. This is inefficient. Adding a String host_name to the struct SSL in the Module SSLIOP would resolve this issue.
Resolution: Close issue with revised text.
Revised Text: Base document: http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf [1] Add Minor Heading Section before TAG_TLS_SEC_TRANS Transport Address The TransportAddress structure indicates an INTERNET address where the TSS is listening for connection requests. struct TransportAddress { string host_name; unsigned short port; }; typedef sequence <TransportAddress> TransportAddressList; The host_name field identifies the Internet host to which connection requests will be made. The host_name field shall not contain an empty string. The port field contains the TCP/IP port number (at the specified host) where the TSS is listening for connection requests. The port number shall not be zero. [2] Replace paragraph 130 with the following: When an instance of the TAG_TLS_SEC_TRANS component occurs in the transport_mech field of the CompoundSecMech structure, it defines the sequence of transport addresses that the target will be listening for SSL/TLS protected invocations. The supported (target_supports) and required (target_requires) association options defined in the component shall define the transport level security characteristics of the target at the given addresses. [3] Change the IDL for TLS_SEC_TRANS after paragraph 130 to the following: struct TLS_SEC_TRANS { AssociationOptions target_supports; AssociationOptions target_requires; TransportAddressList addresses; }; [4] Add the following paragraph following the IDL after paragraph 130: The addresses field provides a shorthand for defining multiple security mechanisms that differ only in their transport addresses. The addresses field shall contain at least one address. [5] Add the following IDL for TransportAddress 16.9.4 on page 16-65 after the definition of CompoundSecMechList: struct TransportAddress { string host_name; unsigned short port; }; typedef sequence <TransportAddress> TransportAddressList; [6] Change the IDL for TLS_SEC_TRANS in section 16.9.4 on page 16-66 to the following: struct TLS_SEC_TRANS { AssociationOptions target_supports; AssociationOptions target_requires; TransportAddressList addresses; };
Actions taken:
February 12, 2001: received issue
October 3, 2001: closed issue
Discussion: We add a minor section describing a TransportAddress structure with wording close to that of the IIOP profile on page 15-50 of CORBA 2.3. formal/99-10-07. We also add a typedef for a sequence of these structures. We change the TLS_SEC_TRANS structure to use a list of these addresses.
Issue 4221: Issue: inconsistent definition of AuthorizationToken (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: Document: csiv2-011701 In section 16.2.3 The AuthorizationToken type is defined inconsitently with respect to its definition in IDL module CSI. typedef sequence <X509AuthorizationElement> AuthorizationToken; in module CSI typedef sequence <AuthorizationElement> AuthorizationToken; The definition in 16.2.3 should be chnaged to agree with that in the IDL
Resolution: Apply revised text and close issue.
Revised Text: Base Document: http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf [1] In Section 16.2.3 on page 16-14 the definition of AuthorizationTokenType is changed to the following: typedef sequence <AuthorizationElement> AuthorizationToken;
Actions taken:
March 13, 2001: received issue
October 3, 2001: closed issue
Issue 4268: How to Partition the ServiceConfiguration syntax space to support vendor sp (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: We need to define how the namespace of ServiceConfiguration syntax identifiers (used in privilege_authorities) is to be partitioned so that individual vendors have some identifiers reserved for their use (i.e. the definition of vendor specific syntaxes).
Resolution: Recommend closure with revised text
Revised Text: Base document: http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf [1] Add two new paragraphs following the second half of para 148 (which was split as one result of the resolution to issue 4118). The high order 20-bits of each ServiceConfigurationSyntax constant shall contain the Vendor Minor Codeset ID (VMCID) of the organization that defined the syntax. The low order 12 bits shall contain the organization-scoped syntax identifier. The high-order 20 bits of all syntaxes defined by the OMG shall contain the VMCID allocated to the OMG (that is, 0x4F4D0). Organizations must register their VMCIDs with the OMG before using them to define a ServiceConfigurationSyntax. [2] change the defintion of the ServiceConfigurationSyntax type, and the syntax contants in a. the IDL following para 147 b. in section 16.9.4 Module CSIIOP to: // The high order 20-bits of each ServiceConfigurationSyntax constant // shall contain the Vendor Minor Codeset ID (VMCID) of the // organization that defined the syntax. The low order 12 bits shall // contain the organization-scoped syntax identifier. The high-order 20 // bits of all syntaxes defined by the OMG shall contain the VMCID // allocated to the OMG (that is, 0x4F4D0). typedef unsigned long ServiceConfigurationSyntax; // The OMG VMCID; same value as CORBA::OMGVMCID. Do not change ever. const unsigned long OMGVMCID = 0x4F4D0; const ServiceConfigurationSyntax SCS_GeneralNames = OMGVMCID | 0; const ServiceConfigurationSyntax SCS_GSSExportedName = OMGVMCID | 1;
Actions taken:
April 11, 2001: received issue
October 3, 2001: closed issue
Discussion: How to Partition the ServiceConfiguration syntax space to support vendor specific extensions
Issue 4277: New minor codes for NO_PERMISSION Exception in CSIv2 (csiv2-ftf)
Click here for this issue's archive.
Source: International Business Machines (Dr. Daniel T. Chang, dtchang(at)us.ibm.com)
Nature: Uncategorized Issue
Severity:
Summary: Don, > > Although the minor codes of the NO_PERMISSION exception have been defined > in Table 4-7, Section 4.5, of the 7/21/2000 version of the CSIv2 > Specification, in order > for the server to properly communicate the caused of the NO_PERMISSION > exception > to the client, we would like to propose the additional minor codes to the > NO_PERMISSION > exception. > > *********************************************************************** > NO_PERMISSION authentication error minor codes: range 1-100 > (Note: The following minor codes are defined in the current CSIv2 spec: > > 1 - Invalid evidence > 2 - Invalid mechanism > 3 - Conflicting evidence > 4- No Context > ) > The new proposed minor codes for NO_PERMISSION exception: The numbering > scheme was chosen to group errors into areas of > similarity. > > 5 - user id not defined to security system - the user may select another > userid > 6 - user id revoked by security system - the user may select > another userid > > 11 - password invalid for this userid - the user may correct the password > 12 - password expired - the user may select another userid > > 20 - credentials expired - the user may select different credentials or > renew them(e.g. by reissuing kinit) > 22 - credentials invalid - the user may select different > credentials, (e.g. > by kinit, or specifying a different PKCS certificate handle) > > 52 - new password doesn't meet installation requirements > > 60 - general authentication error - the user should resubmit his > credentials, but not additional information as to what is in error is > provided. > ******
Resolution: Close issue with revised text.
Revised Text: Base document: http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf [1] In para 21, change the bullet about error_token to the following * error_token A GSS mechanism-specific error token. When an EstablishContext message is rejected because it contains a client_authentication_token (a GSS initial context token) that is invalidated by the TSS, then depending on the mechanism, the TSS may return a CDR encapsulation of a mechanism-specific GSS error token in this field. Not all GSS mechanisms produce error tokens in response to initial context token validation failures. [2] Add a new section after para 49 GSSUP Mechanism-Specific Error Token The GSSUP mechanism-specific error token contains a GSSUP fatal error code. typedef unsigned long ErrorCode; // GSSUP Mechanism-Specific Error Token struct ErrorToken { ErrorCode error_code; }; The following fatal error codes are defined by the GSSUP mechanism: // the context validator has chosen not to reveal // the GSSUP specific cause of the failure. const ErrorCode GSS_UP_S_G_UNSPECIFIED = 1; // the user identified in the username field of // the GSSUP::InitialContextToken is unknown to the target const ErrorCode GSS_UP_S_G_NOUSER = 2; // the password supplied in the GSSUP::InitialContextToken // was incorrect const ErrorCode GSS_UP_S_G_BAD_PASSWORD = 3; // the target_name supplied in the GSSUP::InitialContextToken // does not match a target_name in a mechanism definition of // the target const ErrorCode GSS_UP_S_G_BAD_TARGET = 4; A TSS is under no obligation to return a GSSUP error token; however, returning this token may facilitate the transition of the client-side GSS state machine through error processing. Accordingly, a TSS may indicate that SAS context validation failed in GSSUP client authentication by returning a GSSUP error token in a SAS ContextError message. In this case, a TSS that choses not to reveal specific information as to the cause of the failed GSSUP authentication shall return a status value of GSS_UP_S_G_UNSPECIFIED. [3] change table 16-9 in section 16.3.5 ContextError Values and Exceptions as follows (ignoring the first and last columns which will remain unchanged). Event Semantic Major Minor accept_context returned failure Invalid evidence 1 1 Invalid mechanism 2 1 Conflicting evidence 3 1 reference_context (N) returned false No Context 4 1 [4] Add the following IDL to section 16.9.2 Module GSSUP - Username/Password GSSAPI Token Formats typedef unsigned long ErrorCode; // the context validator has chosen not to reveal // the GSSUP specific cause of the failure. const ErrorCode GSS_UP_S_G_UNSPECIFIED = 1; // the user identified in the username field of // the GSSUP::InitialContextToken is unknown to the target const ErrorCode GSS_UP_S_G_NOUSER = 2; // the password supplied in the GSSUP::InitialContextToken // was incorrect const ErrorCode GSS_UP_S_G_BAD_PASSWORD = 3; // the target_name supplied in the GSSUP::InitialContextToken // does not match a target_name in a mechanism definition of // the target const ErrorCode GSS_UP_S_G_BAD_TARGET = 4; // GSSUP Mechanism-Specific Error Token struct ErrorToken { ErrorCode error_code; };
Actions taken:
April 18, 2001: received issue
October 3, 2001: closed issue
Discussion: CSIv2 will not define a new exception minor code. The CSIv2 ContextError codes will be modified to support future inclusion of additional and optional error codes in the point-to-point, wire-level exchange between TSS and CSS. An error token and minor status codes will be defined for the GSSUP mechanism. Communicating error status from the CSS to the client app, will be defined in the context of APIs (that is, above the wire-level interoperability defined by the current specification).
Issue 4281: No Tokens in EstablishContext Message (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: The spec doesn't say whether or not an EstablishContext with none of cleint authentication, identity, or authorization token is legitimate. I don't think we need the ability to send such mecahnisms (for unprotected requests), as we would just send the request without a CSIv2 service context element. The only down side I can see, to writing this empt EstbalishContext out of spec, would be that a client could not use it to get feedback from a TSS in the form of CompleteEstablishContext, indicating that the TSS supports CSIv2. We must indicate that this is either an invalid msg, or state that it must be supported (and what it's semantics should be).
Resolution: close issue with no change
Revised Text:
Actions taken:
April 24, 2001: received issue
October 3, 2001: closed issue
Discussion: Table 16-4 includes entries which correspond to empty EstablishContext messages, so I now believe that we have adequately defined the semantics of such messages. In retrospect, what is missing from the spec, is the protocol behavior when CSIv2 is used without SAS. I have created a new issue (with proposed resolution) to address that issue.
Issue 4282: Inability to specify per method target security requirements (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: The CSIv2 mechanism definition schema, soes not provide a way to associate mechanisms with subsets of the methods of an object. Discussion EJB method-permissions may be associated with subsets of methods, such that a class of EJB objects may have some protected and some unprotected methods. Where by protection I mean, the caller must be authenticated and be in a authorized role, to access the method. Some methods of an EJB may be available to unauthenticated callers, while others may limit access to only specific authenticated callers. Given a mixed protection object, how would one define its IOR such that it could be affectively accessed by its clients without 1. eliminating unauthenticated access to the object that is, mark the target as authentication required 2. causing unnecessary authentications and usurping the clients perogative to only authenticate when it is required to or chooses to. that is, mark the target as authentication supported and tell the client to authenticate if it can 3. causing failed attempts because the client does not know that the target requires authentication that is, mark the target as authentication supported and let the client authenticate if it wants to Would it be appropriate to add information to the IOR, that indicates that whether the object will check permissions, such that a client normally operating in mode 3, would know when it would probably do better in mode 2? Should a CSIv2 IOR which principally defines (authentication and msg protection mechanisms) carry additional information about the authorization policy of the object? There is obviously some precedent for doing so in the privilege authorities field.
Resolution: Close issue with no change as this does not apply to CSIv2
Revised Text:
Actions taken:
April 24, 2001: received issue
October 3, 2001: closed issue
Issue 4293: CSIv2 Issue: SECIOP does not have multiple addresses. (csiv2-ftf)
Click here for this issue's archive.
Source: Adiron, LLC (Mr. Polar Humenn, polar(at)adiron.com)
Nature: Uncategorized Issue
Severity:
Summary: This issue is the exactly the same issue as issue 4200, which is for TLS (SSL) transport addresses. It notes that the component for a SECIOP transport needs to support multiple addresses. The recommended solutioin to this issue is to adopt the analogous resolution to the 4200 issue.
Resolution: Close issue with revised text.
Revised Text: Base document: http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf [1] Add Minor Heading Section before TAG_TLS_SEC_TRANS Transport Address The TransportAddress structure indicates an INTERNET address where the TSS is listening for connection requests. struct TransportAddress { string host_name; unsigned short port; }; typedef sequence <TransportAddress> TransportAddressList; The host_name field identifies the Internet host to which connection requests will be made. The host_name field shall not contain an empty string. The port field contains the TCP/IP port number (at the specified host) where the TSS is listening for connection requests. The port number shall not be zero. [2] Replace paragraph 133 with the following: The SECIOP_SEC_TRANS structure defines the transport addresses for SECIOP messages, the association options pertaining to the particular GSS mechanism being supported, the GSS mechanism identifier, and the target's GSS exported name. [3] Change the IDL for SECIOP_SEC_TRANS after paragraph 133 to the following: struct SECIOP_SEC_TRANS { AssociationOptions target_supports; AssociationOptions target_requires; CSI::OID mech_oid; CSI::GSS_NT_ExportedName target_name; TransportAddressList addresses; }; [4] Add the following paragraph following the IDL after paragraph 133: The addresses field provides a shorthand for defining multiple security mechanisms that differ only in their transport addresses. The addresses field shall contain at least one address. [5] Add the following IDL for TransportAddress 16.9.4 on page 16-65 after the definition of CompoundSecMechList: struct TransportAddress { string host_name; unsigned short port; }; typedef sequence <TransportAddress> TransportAddressList; [6] Change the IDL for SECIOP_SEC_TRANS in section 16.9.4 on page 16-65 to the following: struct SECIOP_SEC_TRANS { AssociationOptions target_supports; AssociationOptions target_requires; CSI::OID mech_oid; CSI::GSS_NT_ExportedName target_name; TransportAddressList addresses; };
Actions taken:
May 3, 2001: received issue
October 3, 2001: closed issue
Discussion: We add a minor section describing a TransportAddress structure with wording close to that of the IIOP profile on page 15-50 of CORBA 2.3. formal/99-10-07. We also add a typedef for a sequence of these structures. We change the SECIOP_SEC_TRANS structure to use a list of these addresses.
Issue 4308: The encoding of GSSUP ICT's is not clearly specified (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: Document: http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf Isuse: The encoding of GSSUP ICT's is not clearly specified Para 48 states: [48] The format of a GSSUP initial context token shall be as defined in [IETF RFC 2743] Section 3.1, �Mechanism-Independent Token Format,� pp. 81-82. This GSSToken shall contain an ASN.1 tag followed by a token length, an authentication mechanism identifier, and a CDR encoded sequence of octets corresponding to a GSSUP inner context token as defined by the type GSSUP::InitialContextToken in Section 16.9.2, �Module GSSUP - Username/Password GSSAPI Token Formats,� on page 16-59 (and repeated below). and section 16.9.2 Module GSSUP - Username/Password GSSAPI Token Formats states // The following structure defines the inner contents of the username // password initial context token. This structure is CDR encoded in a // sequence of octets and appended at the end of the username/password // GSS (initial context) Token. struct InitialContextToken { CSI::UTF8String username; CSI::UTF8String password; CSI::GSS_NT_ExportedName target_name; }; Proposed Resolution: Change para 148 to the following: [48] The format of a GSSUP initial context token shall be as defined in [IETF RFC 2743] Section 3.1, �Mechanism-Independent Token Format,� pp. 81-82. This GSSToken shall contain an ASN.1 tag followed by a token length, an authentication mechanism identifier, and an encapsulation octet stream containing a CDR encoded GSSUP inner context token as defined by the type GSSUP::InitialContextToken in Section 16.9.2, �Module GSSUP - Username/Password GSSAPI Token Formats,� on page 16-59 (and repeated below). change the relevant comment in 16.9.2 Module GSSUP - Username/Password GSSAPI Token Formats to the following // The following structure defines the inner contents of the username // password initial context token. This structure is CDR encoded in an // encapsulation octet stream and appended at the end of the username/password // GSS (initial context) Token.
Resolution: Close issue with revised text.
Revised Text: [1] Change the description of an initial context token in para 48 to The format of a GSSUP initial context token shall be as defined in [IETF RFC 2743] Section 3.1, "Mechanism-Independent Token Format," pp. 81-82. This GSSToken shall contain an ASN.1 tag followed by a token length, an authentication mechanism identifier, and a CDR encapsulation containing a GSSUP inner context token as defined by the type GSSUP::InitialContextToken in Section 16.9.2, "Module GSSUP - Username/Password GSSAPI Token Formats," on page 16-59 (and repeated below). [2] Change the description of a GSSUP ICT in module 16.9.2 to // The following structure defines the inner contents of the username // password initial context token. This structure is CDR encapsulated // and appended at the end of the username/password GSS (initial // context) Token. [3] Add a new paragraph after para 49. The format of the name passed in the username field depends on the authentication domain. If the mechanism identifier of the target domain is GSSUP, then the format of the username shall be a Scoped-Username (with name_value) as defined in section 16.2.5, Scoped-Username GSS Name Form.
Actions taken:
May 15, 2001: received issue
October 3, 2001: closed issue
Issue 4326: CSIv2 TSS state machine lacks states to enforce target policy for (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: While in state "Waiting for Request", The TSS state machine will accept an unprotected request, without consideration of the target CSIv2 security policy. Also the specification does not describe what is supposed to happen when a target's mechanism definitions/policy requires SAS (i.e. client authentication) and the CSS does not send an EC.
Resolution: Close issue with revised text.
Revised Text: Base document: http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf [1] modify the TSS state table Change event "receive unprotected request" in state Waiting for Request to "receive request without SAS message" Change action when in state Waiting for Request, and event is "receive request without SAS message" to accept_transport_context() with no arguments. Change new state when in state Waiting for Request, and event is "receive request without SAS message" to Verify Transport Context. Create new state, "Verify Transport Context" and add it to the TSS table. In state "Verify Transport Context", if event is "accept_transport_context() returned success", action shall be "process request", and new state shall be "Send Only Reply". In state "Verify Transport Context", if event is "accept_transport_context() returned failure", action shall be "send exception (NO_PERMISSION)", and new state shall be "Waiting for Request". Increment state numbers of all states following Send Only Reply, to accomodate insertion of new state, Verify Transport Context". For the corrected TSS state machine see the attachment, fix-tss-protocol.PDF The TSS state diagram will be changed to agree with the state table. The corrected CSS state machine is also available at: Revised TSS State Machine [2] in para 108, add a description of accept_transport_context (after accept_context). o accept_transport_context() This action validates that a request that arrives without a SAS protocol message (i.e. EstablishContext or MessageInContext) satisfies the CSIv2 security requirements of the target object. This routine returns true if the transport layer security context (including none) over which the request was delivered satisfies the security requirements of the target object. Otherwise, accept_transport_context returns false. When accept_transport_context returns FALSE, the TSS shall reject the request and send a NO_PERMISSION seception. [3] Modify the CSS state table In state "Waiting for Context" and a new event "get_context_element returned NULL" with action "send request" and new State "Wait for Reply" For the corrected CSS state machine see the attachment, fix-css-protocol.PDF The CSS state diagram will be changed to agree with the state table. The corrected CSS state machine is also available at: Revised CSS State Machine [4] In para 113 extend the description of get_context_element to describe the circumstances under which this routine may return a NULL SAS protocol context elememt. get_context_element(c, policy, creds, mech, Out element) In the scope of connection c, use the client creds to obtain a SAS protocol context element that satisfies the client policy and the target policy in the mechanism. If the CSS supports reusable contexts, and the client policy is to establish a reusable context, the CSS allocates a client_context_id, and initializes a context element in the context table of the connection. A NULL context element may be returned by get_context_element when the target mechanism definition either does not support or require SAS layer security functionality, and the client establishes a policy not to use such functionality unless required to do so. [5] Modify table 16-4 to reintroduce the two rows that descibe CSIv2 invocations where all the security functionality is performed in the transport. Move column 1, to follow 3, and then introduce two new rows as follows: Row 13. Transport Client Principal = none Staddle SAS Client Authentication principal and SAS identity Token Identity and fill combined cell with "No SAS Message" Client Principal is trusted = Not Applicable Invocation Principal = Anonymous Scenario = Unathenticated Row 14. Transport client Principal = P2 Staddle SAS Client Authentication principal and SAS identity Token Identity and fill combined cell with "No SAS Message" Client Principal is trusted = Not Applicable Invocation Principal = P2 Scenario = client authentication For consistency make the same change to the columns in tables 16-3, and 16-5, without adding any new rows. The corrected principal interpretation tables are contained in the third attachment: request-principal-tables.PDF and at Revised Principal Interpretation Tables Actions Taken:
Actions taken:
May 30, 2001: received issue
October 3, 2001: closed issue
Issue 4327: clarification of csiv2 stateful conformance requirements (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: The specification is currently weak on its description of what must be done by a TSS with respect to designating a "stateful" value in its IOR's, and in defining under what circumstances a TSS may claim stateful conformance. In particular, the spec does not currently state whether or not a TSS must be stateful for all of its mechanism definitions, at all of its target objects in order to claim stateful conformance. The following paragraphs should be included to clarify these two issues.
Resolution: Close issue with revised text
Revised Text: Base document: http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf [1] Add the following new para after para 140, A TSS shall set the stateful bit to FALSE in the CompoundSecMechList structure of IORs corresponding to target objects at which it will not accept reusable security contexts. Actions Taken:
Actions taken:
May 30, 2001: received issue
October 3, 2001: closed issue
Discussion: the thing that is missing in the doc, is that we do not currently have anything that says a TSS is required to set the stateful bit. [99] A TSS that supports stateful contexts may negotiate a request to establish a stateful context to a stateless context in order to preserve resources. It may do so only if it does not already have an established matching stateful context. [100] Conversely, a stateful TSS that has negotiated a request to stateless may respond statefully to a subsequent context with the same (non-zero) client_context_id. We have a description of what the bit means (in para 140) which focuses on what a TRUE value means. Perhaps you are saying that we need a description of what a FALSE value means. My sense is that the FALSE semantics are clear enough. [140] A value of TRUE in the stateful field of the CompoundSecMechList structure indicates that the target supports the establishment of stateful or reusable SAS contexts. This field is provided to assist clients in their selection of a target that supports stateful contexts. It is also provided to sustain implementations that serialize stateful context establishment on the client side as a means to conserve precious server-side authentication capacity.10 10.This serialization is only done when an attempt is being made to establish a stateful context. The last part of 140 says that if the stateful bit is true, some CSS implementations will not send multiple concurrent requests to establish the same stateful context. This design changes the multithreaded nature of the client app (for the round-trip time of one request) in exchange for not wasting the resources of the TSS. What it really says is that the serialization is acceptable if it only occurs when the bit is true, as one way or another, multiple requests should be serialized until the stateful context is established. In one design the serialization happens at the CSS, and in the other (if it occurs, it is done) at the TSS. This hint, was strongly argued for, because without it CSS side serialization would be at a disadvantage because it would happen in too many cases where it could come to no benefit. We have decided to let the (stateful) conformance statements stand as they are written. Resolution:
Issue 4330: How to Partition the AuthorizationElementType regarding vendor extensions (csiv2-ftf)
Click here for this issue's archive.
Source: Oracle (Mr. Ron Monzillo, ronald.monzillo(at)east.sun.com)
Nature: Uncategorized Issue
Severity:
Summary: We should define how the namespace of AuthorizationElementType identifiers (used in authorization tokens) is to be partitioned so that individual vendors have some identifiers reserved for their use (i.e. the definition of vendor specific type identifiers).
Resolution: Close issue with revised text.
Revised Text: base document: http://cgi.omg.org/pub/csiv2-ftf/csiv2-031401.pdf [1] add the definition of the OMG VMCID constant to section 16.9.3 Module CSI (Note that this change was also proposed as part of the resolution to issue 4268). // The OMG VMCID; same value as CORBA::OMGVMCID. Do not change ever. const unsigned long OMGVMCID = 0x4F4D0; [2] Add two new paragraphs following para 32. The high order 20-bits of each AuthorizationElementType constant shall contain the Vendor Minor Codeset ID (VMCID) of the organization that defined the element type. The low order 12 bits shall contain the organization-scoped element type identifier. The high-order 20 bits of all element types defined by the OMG shall contain the VMCID allocated to the OMG (that is, 0x4F4D0). Organizations must register their VMCIDs with the OMG before using them to define an AuthorizationElementType. [3] Add the following comment in front of the definition of the AuthorizationElementType in section 16.9.3 Module CSI // The high order 20-bits of each AuthorizationElementType constant // shall contain the Vendor Minor Codeset ID (VMCID) of the // organization that defined the element type. The low order 12 bits // shall contain the organization-scoped element type identifier. The // high-order 20 bits of all element types defined by the OMG shall // contain the VMCID allocated to the OMG (that is, 0x4F4D0). [4] change the defintion of the X509AttributeCertChain constant in a. the IDL following para 32 b. in section 16.9.3 Module CSI to: const AuthorizationElementType X509AttributeCertChain = OMGVMCID | 1; [5] remove the definition of the ORGVMCID constant and accompanying comment from: a. the IDL following para 147 (what was the first para following the heading struct SAS_ContextSec) b. section 16.9.4 Module CSIIOP that is, remove the following: // The OMG VMCID; same value as CORBA::OMGVMCID. Do not change ever. const unsigned long OMGVMCID = 0x4F4D0; [6] change the defintion of the ServiceConfigurationSyntax constants in a. the IDL following para 147 (what was the first para following the heading struct SAS_ContextSec) b. in section 16.9.4 Module CSIIOP to: const ServiceConfigurationSyntax SCS_GeneralNames = CSI::OMGVMCID | 0; const ServiceConfigurationSyntax SCS_GSSExportedName = CSI::OMGVMCID | 1;
Actions taken:
June 1, 2001: received issue
October 3, 2001: closed issue
Discussion: The resolution to Issue 4268 (How to Partition the ServiceConfiguration syntax space to support vendor specific extensions) should be applied to the AuthorizationElementType identifier. This resolution also corrects an error in the resolution to issue 4268 as described in items 5 and 6. It consists mainly of declaring the OMGVMCID constant in the CSI module instead of in the CSIIOP module as was originally done in the resolution for 4268.