W3C home > Mailing lists > Public > www-xkms-ws@w3.org > November 2001

Summary of some security and robustness issues

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Tue, 27 Nov 2001 14:44:18 -0800
Message-ID: <2F3EC696EAEED311BB2D009027C3F4F405869889@vhqpostal.verisign.com>
To: "'www-xkms-ws@w3c.org'" <www-xkms-ws@w3c.org>
WRT the ongoing discussion, attached is an attempt to set out the arguments
on security, deadlock etc. in a broader fashion.
 
In response to Mike Just's point on the TransactionID, yes we should add in
a <Respond> tag, actually if we are to align with SAML that would become the
<RespondWith> element (people thought the name confussing there it is
probably less so if the protocols agree on a common useage).
 
Clearly it should not be necessary to add in <transactionID> unless the
requestor absolutely does not want a cached response
 
See also the discussion in the paper on the use of deferred authentication
in the paper, If I sign the request with an SHA-1 then I could check for the
same value in the response (assuming I am not using cached data).
 
Basically what the paper comes down to is that you have to be quite carefull
about the decision to support caching, the costs of implementation rise
significantly. It may well be that many XKMS client applications will not
benefit from non-repudiation on responses because they don't have the
archival store, consequently such applications should probably be using an
XKASS key agreement and HMAC authentication approach and thus the need for
caching the response tokens pretty much goes away.
 
That is not to say that FORWARDING of XKMS tokens will not be really useful
in applications like payement schemes where there is the support for
non-repudiation etc.
 
        Phill



Received on Tuesday, 27 November 2001 17:44:01 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 13:51:42 EDT