OASIS ebXML Messaging Services TC

 View Only
  • 1.  Secure MSH pulling

    Posted 09-03-2005 02:48
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    ebxml-msg message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: Secure MSH pulling


    As discussed in last conf call, after review and updates with Hamid,

    here is a proposal for Secure pulling, which does not require introduction of

    new concepts such as MSH Id.

    Although the text uses RFC2119 keywords, it does not pretend to be even close to final...

    (still rough, several points need be verified / tighten-up - and how this would split between the core Pull section and the Security section is TBD.)

    Jacques

    1. Security of Pull mode (authentication / authorization)

    - A Sending MSH MUST be able to authenticate a Receiving MSH that sends a PullRequest.

    MSH support for this feature is a requirement, though its use is optional.

    Authentication MUST be achieved in a way that does not depend on the parties that

    may be using this MSH.

    In other words, authentication of a Receiving MSH must be possible regardless of the

    security requirements specific to the parties using this MSH. For example, even if these

    parties decide to not use any security for exchanging messages - this could be indicated

    by a CPA - it may be decided that the Receiving MSH they use still needs be authenticated

    when doing pulling, like when sending any other MSH-level signal.

    (it must be reminded that several parties with different security requirements,

    may share a same MSH.)

    - When authentication is required for a particular Receiving MSH, it is RECOMMENDED

    that the Sending MSH uses persistent security.

    In case a Receiving MSHs is not able to use persistent security based on XML signatures,

    a password-based authentication MAY be used, e.g. as in the HTTP Basic Access Authentication

    scheme [RFC2617]. In that case a secure communication protocol SHOULD be used.

    If a CPA is used that defines an MSH DeliveryChannel for MSH signals sent from Receiving MSH

    to Sending MSH, and when a secure Pull mode is required, then the tp:Transport element [CPPA2.1] referred to by this MSH DeliveryChannel MUST contain enough information to

    support the authentication of the Receiving MSH, e.g. by enabling signatures.

    The tp:Transport element MUST include a tp:EndPoint element that matches the Sending MSH

    endpoint, with type attribute = "allPurpose".

    - The PullRequest signal MUST contain an EndPoint element similar to the tp:EndPoint element

    defined in the tp:Transport element [CPPA2.1].

    The uri attribute of this element MUST uniquely identify the Receiving MSH, among all

    the Receiving MSHs that may also send PullRequest signals to the same destination. 

    When persistent authentication based on signatures is used, a detached, WSS-compliant signature

    [WSS] SHALL be used to sign the EndPoint element so that the integrity of this element is also

    guarateed.

    Further requirements are described in more details in the Security module.

    - The processing of a received PullRequest by a Sending MSH is authorized based on

    internal information that the Sending MSH maintains, that associates a list of

    endpoint information about pre-authorized Receiving MSHs, with the queues these are

    allowed to pull from.

    2- Operational Context and scenarios (for illustration)

    - When pulling is enabled between a Sending MSH and a Receiving MSH, messages submitted

    to the former MUST be pulled by the latter according to a FIFO policy, effectively

    achieving a queuing behavior. This queuing behavior between Sending MSH and Receiving MSH

    is abstractly referred to as the S-R-queue. No assumption is made on the

    implementation of the S-R-queue.

    - A Sending MSH MUST associate a received PullRequest signal with an S-R-queue by matching

    the tp:Endpoint in the PullRequest with the endpoint info of the Receiving MSH associated with

    this S-R-queue.

    - A message that is submitted to the Sending MSH and intended to a Receiving MSH for which pulling

    is enabled, MUST be put in the related S-R-queue only under the following conditions:

    (a) the transport attributes associated with this message - e.g. as defined in the CPA between

    the parties exchanging this message - are compatible with the transport

    attributes defined for PullRequest signals going the other way - e.g. as defined by the

    MSH DeliveryChannel of a CPA. If that were not the case, an error MUST be raised for this message.

    Configuration scenario:

    o A Receiving MSH is configured with the endpoint info of every Sending MSH that it is

    authorized to pull messages from. Such endpoint info may be described in the Transport element

    associated with the Default MSH DeliveryChannel of a CPA.

    o Similarly, a Sending MSH is configured with the endpoint info of every Receiving MSH that

    is authorized for pulling.

    Run-time scenario:

    o The Receiving MSH sends a PullRequest to a Sending MSH.

    o The Sending MSH associates this PullRequest with the claimed Receiving MSH endpoint,

    and therefore with the claimed S-R-queue. It authenticates the "pulling" endpoint as

    specified for this S-R-queue, typically by validating the signature using the certificate

     associated with the MSH-level transport.

    o The Sending MSH sends back the next message in the S-R-queue over the transport response,

    applying the QoS and security required by teh communication between these two parties,

    e.g. as defined in the DeliveryChannel element of their CPA.



    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]