Issue 714: SSL/CORBA-How does client choose to use SSL? (sec-rev) Source: (, ) Nature: Uncategorized Severity: Summary: Summary: What criteria does does client use when choosing to use SSL?Was intent for AssociationOption, target_requires to be only determining factor for client decision to use SSL? Resolution: Close issue 714: SSL/CORBA-How does client chose to use SSL Revised Text: Actions taken: August 27, 1997: received issue April 20, 1999: closed issue Discussion: We agreed to close this issue because the current state of the specification (RTF 1.5) allows for this capability. End of Annotations:===== Return-Path: From: John Buslawski To: Cc: Leo Uzcategui , Bob Blakley Subject: SSL/CORBA - How does the client choose to use SSL? Date: Wed, 27 Aug 1997 15:49:43 -0400 In the RFP Submisison, SSL/CORBA Security (orbos/97-02-04), the first sentence of the last paragraph on page 6 states, "The Port field contains the port number to be used instead of the port defined in the accompanying IIOP profile body if SSL is selected by the client." The final part of this sentence is a little vague and it's not clear if this was intentional. What criteria does the client use when choosing to use SSL? Was the intent for the AssociationOption, target_requires, to be the only determining factor for the client to use when making the decision to use SSL? For instance, if target_requires equals NoProtection then the client would use the port number defined in the IIOP profile body to create a non-SSL connection. If target_requires equals Integrity or Confidentiality then the port number defined in the SSL TAG would be used to create an SSL connection. (I'm assuming that DetectReplay and DetectMisordering are no-ops since the SSL protocol does this already.) Or was the intent to allow the client to use other criteria, in addition to the SSL TAG, for creating SSL and non-SSL connections? John Buslawski - johnbu@us.ibm.com IBM - Zip 9640, 11400 Burnet Rd., Austin, Tx. 78758 Phone: (512) 838-1104 T/L 678-1104 Return-Path: Date: Wed, 27 Aug 1997 14:53:23 -0700 From: smalladi@smalladi-sun.us.oracle.com (Sastry Malladi) To: johnbu@us.ibm.com Subject: Re: Fwd: SSL/CORBA - How does the client choose to use SSL? Cc: dbrower@smalladi-sun.us.oracle.com, sec_rev@omg.org, smalladi@smalladi-sun.us.oracle.com ---------- X-Sun-Data-Type: text X-Sun-Data-Description: text X-Sun-Data-Name: text X-Sun-Charset: us-ascii X-Sun-Content-Lines: 11 You are right. It's not clearly specified. However, one way to interpret and implement that (that's what we are doing) is that: if the target object wishes to support both secure and non-secure(NoProtection) client requests, it has to put TWO profiles in the IOR; one plain IIOP profile with a listening port #, and a second IIOP profile with SSL tag. The listening port # in SSL case would be the one inside the SSL tag. The client may choose either one depending on how it wants to initiate the request. Sastry ---------- X-Sun-Data-Type: mail-message X-Sun-Data-Name: mail-message X-Sun-Charset: us-ascii X-Sun-Content-Lines: 40 Date: 27 Aug 97 12:49:43 From:"John Buslawski " To: Subject:SSL/CORBA - How does the client choose to use SSL? Cc:Leo,Uzcategui,,Bob,Blakley, Return-Path: MIME-Version: 1.0 Content-Transfer-Encoding:7bit Content-Type:text/plain; charset="us-ascii" In the RFP Submisison, SSL/CORBA Security (orbos/97-02-04), the first sentence of the last paragraph on page 6 states, "The Port field contains the port number to be used instead of the port defined in the accompanying IIOP profile body if SSL is selected by the client." The final part of this sentence is a little vague and it's not clear if this was intentional. What criteria does the client use when choosing to use SSL? Was the intent for the AssociationOption, target_requires, to be the only determining factor for the client to use when making the decision to use SSL? For instance, if target_requires equals NoProtection then the client would use the port number defined in the IIOP profile body to create a non-SSL connection. If target_requires equals Integrity or Confidentiality then the port number defined in the SSL TAG would be used to create an SSL connection. (I'm assuming that DetectReplay and DetectMisordering are no-ops since the SSL protocol does this already.) Or was the intent to allow the client to use other criteria, in addition to the SSL TAG, for creating SSL and non-SSL connections? John Buslawski - johnbu@us.ibm.com IBM - Zip 9640, 11400 Burnet Rd., Austin, Tx. 78758 Phone: (512) 838-1104 T/L 678-1104