CSIv2 1.0 NO IDEA Avatar
  1. OMG Issue

CSIV2 — CSIv2 Protocol

Open Closed All
  • Key: CSIV2-1
  • Legacy Issue Number: 3906
  • Status: closed  
  • Source: Syracuse University ( Polar Humenn)
  • Summary:

    ssue on Document orbos/2000-08-04, CSIv2 Joint Submission:

    Document: orbos/2000-08-04 CSIv2 Joint Submmission
    Subject: Protocol and IOR incompatabilities for Identity Assertion
    Severity: Critical

    Summary:

    The CSIv2 protocol is too vague on acceptance of identity tokens.
    This yeilds an uneeded and unwarranted complexity in implemenations.
    Vague protocols are not a good idea. It limits interoperability.

    Discussion:

    In the IOR, the CSIv2 protocol states a list of OIDs signifying the
    acceptable forms of an IdentityToken delivered by the client. This list of
    acceptable name forms is stated only to apply to GSS_NT_ExportedName
    types. There are no OIDs signifying that an X.501 DN or X.509 Public Key
    Certificate are acceptable.

    It seems that the specification is written so that both X.501 DNs and
    X.509 Certificate chains are always acceptable. This requirement would
    cause all clients to send only X.501 DNs or X.509 Certificate Chains,
    regardless of the server listing its acceptable name types. Also, there is
    no indication of which of an X.501 DN or X.509 Public Key Certificate
    Chain is desirable. This is vague.

    It is completely unwarranted to tell all CSI mechanisms that they must
    support X.509 DNs or X.509 Certificate chains. These name forms may not be
    relevant to the mechanism at all. The mechanism may not support public key
    technology, have facility for verification of certificates, may not be
    able to parse X.501 DNs or X.509 Certificate Chains, and further more, but
    not least, the security mechanism may not know what to do with it. One
    example, might be an TCPIP CSI mechanism that only wants to accept
    Kerberos principal names, Unix user names, or NT user names. DNs or
    Certificate Chains are irrelevant.

    With that in mind, a client should not be allowed to send the server an
    X.509 certificate chain or an X.501 DN at it. Those name forms are not
    acceptable to the server.

    The easiest way around this problem is to allocated OIDs under the OMG OID
    that signify the acceptance of each of the X.509 DNs and X.509 Public Key
    Certificate chains. Servers that accept X.501 DNs and X.509 Public Key
    Certificate chains for identity assertion shall list the appropriate OIDs
    in the IOR.
  • Reported: CSIv2 1.0b1 — Wed, 20 Sep 2000 04:00 GMT
  • Disposition: Resolved — CSIv2 1.0
  • Disposition Summary:

    Apply revised text and close issue
  • Updated: Fri, 6 Mar 2015 20:58 GMT