W3C home > Mailing lists > Public > www-xkms@w3.org > March 2002

Re: Proposed new schema

From: Yassir Elley <yassir.elley@sun.com>
Date: Thu, 28 Mar 2002 14:37:52 -0500
Message-ID: <3CA3710F.9B7EDFE9@sun.com>
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
CC: www-xkms@w3.org
A few comments on the schema:

1) REPLACE
<element name="RespondWith" type="QName"/>
WITH
<element name="RespondWith" type="RespondWithEnumType"/>

2) REPLACE
<complexType name="ResultAbstractType" abstract="true">
  ...
    <attribute name="ResultMinor" type="QName" use="required"/>
  ...
 </complexType>
WITH
<complexType name="ResultAbstractType" abstract="true">
  ...
    <attribute name="ResultMinor" type="xkms:MinorResultCodeEnumType" use="required"/>
  ...
 </complexType>

3) Now that we have added TransactionID as an attribute of MessageAbstractType,
we should get rid of it as an attribute of KeyBindingType. We should also get rid of:
<element name="TransactionID" type="string"/>

4) What is the purpose of the "ID" attribute which is part of KeyBindingType.
Can we get rid of this now:
<attribute name="ID" type="ID" use="optional"/>

-Yassir.

"Hallam-Baker, Phillip" wrote:

> All,
>
>         Attached is a somewhat revised schema, the major changes are:
>
> 1) Use of Qnames for all enumerated items
>         I am somewhat uncertain of the application of the Qnames mechanism,
> for example should we link to the qnames defined in other specs, should we
> use our own enumeration, how does the extension mechanism work? In general
> the case we have is that we want to define a set of basic codes but allow
> for extensibility.
>
> 2) Message abstract type introduced
>         This is the point where we define the transaction ID, signature
> semantics etc. It is also the place where we should have a description of
> the abstract processing semantics when using payload security.
>
> 3) Reason code moved to Keybinding
>         where is bellonged (see earlier message)
>
> Some open issues
>
> 1) The Pending Response.
>         The client should have a mechanism for stating that it will accept a
> pending response. [NB this will absorb even more of Bulk into XKMS]. I
> suggest a RespondWith Qname Pending.
>
>         If the client proposes Pending then IMHO there should be an optional
> mechanism to specify a notification mechanism on completion (c.f. the AST
> mechanism of VMS which was the main reason the VMS systems consistently beat
> UNIX systems on transaction processing benchmarks even with slower
> hardware). This needs to be essentially open as we don't really want to have
> to specify the notification protocol, and in many cases this will be
> something like an email message is sent. I suggest something like a
> method/port pair of URIs similar to what we do in UseKeyWith.
>
>         Introducing this section would allow closure of many of the
> questions pending on pending.
>
> 2) Precise signing profile
>         I believe that what we want to specify is that the signature is
> enveloped and that the scope is the entire message node with the exception
> of the signature itself.
>
> 3) Denial of Service Protection / Replay attack
>         Do we need to consider these?
>
>         If we do I think we need to introduce an optional 2 phase protocol
> as follows (looking at the Client FSM):
>
> State Initial
>         Transition !Request Waiting
>                 // Send out initial request to service
>                 // Go to state Waiting
>
> State Waiting
>         Transition ?Response.Complete Completed
>                 // Service is not in DoS state and does not care
>                 // about replay attack
>         Transition ?Response.Represent Represent
>                 // Service requires the request to be represented
>                 // together with an authentication nonce
>         Transition ?ANY Fail
>
> State Represent
>         Transition !Request Waiting
>                 // Represent request to service together with nonce
>
> State Waiting2
>         Transition ?Response.Complete Completed
>         Transition ?ANY Fail
>
> State Completed
>         Terminal
>                 // We Won 8=)
>
> State Fail
>         Terminal
>                 // We Lost :-(
>
> The nonce is cryptographically bound to the request so that the service can
> quickly determine if the nonce presented is valid and corresponds to the
> given request (cf JFK).
>
> Ideally the nonce would be bound into the represented request.
>
> Looking to the future this is exactly the type of facility that we would
> want to see bound into the Web Services security layer and into WSDL.
>
> I would like the WSDL to tell me the following facts about the service
> 1) The public key of the service
> 2) The encapsulation formats the service supports
>         [e.g. ws-security, TLS, IPSEC, payload etc.)
> 3) If a key agreement service is available / must be used
> 4) If 2 phase DoS protection is available / must be used
>         the level of authentication required on the 1st, second message
>
> If I know in advance that the service is definitely going to do DoS
> protection then I probably don't want to send a signature on the first
> request, in fact I might only want to send a hash of the request.
>
> Clearly this level of protection is something that we might say should be
> pushed down into the XP/SOAP layer and can be defered. It would certainly be
> simpler to deal at that level since it would be easier to do this type of
> processing with a detached signature in a SOAP header. That way the
> signature can consist of a pretty simple manifest with clean semantics and
> not need to worry about the complexity of enveloped processing.
>
> On the other hand folk might reasonably expect XKMS to provide for DoS and
> Replay attack protection.
>
>                 Phill
>
> Phillip Hallam-Baker FBCS C.Eng.
> Principal Scientist
> VeriSign Inc.
> pbaker@verisign.com
> 781 245 6996 x227
Received on Thursday, 28 March 2002 14:43:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:38 UTC