Issue 718: SSL/CORBA-How does client choose to use SSL? (sec-rev) Source: (, ) Nature: Uncategorized Severity: Summary: Summary: Was intent for the AssociationOption, target_requires, to be the only determining factor for the client to use when making the decision to use SSL? (orbos/97-02-04 1st sentence, last para, p.6) Resolution: same as issue 714---closed Revised Text: Actions taken: August 27, 1997: received issue April 17, 1998: closed issue Discussion: End of Annotations:===== Return-Path: From: John Buslawski To: Cc: Leo Uzcategui , Bob Blakley Subject: SSL/CORBA - How does the client choose to use SSL? Date: Wed, 27 Aug 1997 15:49:43 -0400 In the RFP Submisison, SSL/CORBA Security (orbos/97-02-04), the first sentence of the last paragraph on page 6 states, "The Port field contains the port number to be used instead of the port defined in the accompanying IIOP profile body if SSL is selected by the client." The final part of this sentence is a little vague and it's not clear if this was intentional. What criteria does the client use when choosing to use SSL? Was the intent for the AssociationOption, target_requires, to be the only determining factor for the client to use when making the decision to use SSL? For instance, if target_requires equals NoProtection then the client would use the port number defined in the IIOP profile body to create a non-SSL connection. If target_requires equals Integrity or Confidentiality then the port number defined in the SSL TAG would be used to create an SSL connection. (I'm assuming that DetectReplay and DetectMisordering are no-ops since the SSL protocol does this already.) Or was the intent to allow the client to use other criteria, in addition to the SSL TAG, for creating SSL and non-SSL connections? John Buslawski - johnbu@us.ibm.com IBM - Zip 9640, 11400 Burnet Rd., Austin, Tx. 78758 Phone: (512) 838-1104 T/L 678-1104 Return-Path: Sender: jis@fpk.hp.com Date: Thu, 11 Sep 1997 15:32:25 -0400 From: Jishnu Mukerji Organization: Hewlett-Packard New Jersey Labs To: Juergen Boldt Cc: issues@omg.org, sec-rev@omg.org Subject: Re: issue718 References: <3.0.32.19970911131846.00a72ecc@emerald.omg.org> Juergen Boldt wrote: > > This is issue# 718 > > SSL/CORBA-How does client choose to use SSL? > > Was intent for the AssociationOption, target_requires, to be the > only determining factor for the client to use when making > the > decision to use SSL? (orbos/97-02-04 1st sentence, last > para, p.6) > This is what it says in the CORBAsecurity spec about target_supports and target_requires in AssociationOptions: "target_supports - gives the functionality supported by the target. target_requires - defines the minimum that the client must use when invoking the target, although it may use additional functionality supported by the target." So it is definitely a major determinant. However, there are other determinants like whether the client is capable of doing SSL or not. In general the client is supposed to select one of the (potentially several) TAG_*_SEC_[MECH, TRANS] that appear in the IOR of the target object, based on the AssociationOptions that these are capable of supporting, the target_requires set of AssociationOptions, and the set of mechanisms availabile to the client. Sometimes the set of acceptable mechanisms may be the null set. Hope that helps. Jishnu. -- Jishnu Mukerji Systems Architect Open Systems Software Division Email: jis@fpk.hp.com Hewlett-Packard New Jersey Labs Tel: +1 973 443 7528 MS D283, 180 Park Ave., Bldg. 103 Fax: +1 973 443 7602 Florham Park, NJ 07932-9998, USA Issue 718: SSL/CORBA-How does client choose to use SSL? (sec-rev) Click here for this issue's archive. Source: International Business Machines (Mr. Leo Uzcategui, leou@us.ibm.com) Nature: Uncategorized Severity: Summary: Was intent for the AssociationOption, target_requires, to be the only determining factor for the client to use when making the decision to use SSL? (orbos/97-02-04 1st sentence, last para, p.6) Resolution: same as issue 714---closed Revised Text: Actions taken: August 27, 1997: received issue April 17, 1998: closed issue'