wsi    

Basic Security Profile Version 1.0 (2007-03-30) Errata

Candidate Board Approval Draft

Revision: 1.0

Date: 2009/12/14

This version:

            http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0-errata.html

Latest version:

            http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0-Errata.htm

Editors:

Administrative contact:

secretary@ws-i.org


Abstract

This document contains the set of published errata against the WS-I Basic Security Profile 1.0 (2007-03-30).

Status of this Document

This is a candidate Board Approval Draft (BdAD) specification for Errata for the Basic Security Profile, Final Material.

Notice

The material contained herein is not a license, either expressly or impliedly, to any intellectual property owned or controlled by any of the authors or developers of this material or WS-I. The material contained herein is provided on an "AS IS" basis and to the maximum extent permitted by applicable law, this material is provided AS IS AND WITH ALL FAULTS, and the authors and developers of this material and WS-I hereby disclaim all other warranties and conditions, either express, implied or statutory, including, but not limited to, any (if any) implied warranties, duties or conditions of merchantability, of fitness for a particular purpose, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses, and of lack of negligence. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT WITH REGARD TO THIS MATERIAL.

IN NO EVENT WILL ANY AUTHOR OR DEVELOPER OF THIS MATERIAL OR WS-I BE LIABLE TO ANY OTHER PARTY FOR THE COST OF PROCURING SUBSTITUTE GOODS OR SERVICES, LOST PROFITS, LOSS OF USE, LOSS OF DATA, OR ANY INCIDENTAL, CONSEQUENTIAL, DIRECT, INDIRECT, OR SPECIAL DAMAGES WHETHER UNDER CONTRACT, TORT, WARRANTY, OR OTHERWISE, ARISING IN ANY WAY OUT OF THIS OR ANY OTHER AGREEMENT RELATING TO THIS MATERIAL, WHETHER OR NOT SUCH PARTY HAD ADVANCE NOTICE OF THE POSSIBILITY OF SUCH DAMAGES.

Feedback

The Web Services-Interoperability Organization (WS-I) would like to receive input, suggestions and other feedback ("Feedback") on this work from a wide variety of industry participants to improve its quality over time.

By sending email, or otherwise communicating with WS-I, you (on behalf of yourself if you are an individual, and your company if you are providing Feedback on behalf of the company) will be deemed to have granted to WS-I, the members of WS-I, and other parties that have access to your Feedback, a non-exclusive, non-transferable, worldwide, perpetual, irrevocable, royalty-free license to use, disclose, copy, license, modify, sublicense or otherwise distribute and exploit in any manner whatsoever the Feedback you provide regarding the work. You acknowledge that you have no expectation of confidentiality with respect to any Feedback you provide. You represent and warrant that you have rights to provide this Feedback, and if you are providing Feedback on behalf of a company, you represent and warrant that you have the rights to provide Feedback on behalf of your company. You also acknowledge that WS-I is not required to review, discuss, use, consider or in any way incorporate your Feedback into future versions of its work. If WS-I does incorporate some or all of your Feedback in a future version of the work, it may, but is not obligated to include your name (or, if you are identified as acting on behalf of your company, the name of your company) on a list of contributors to the work. If the foregoing is not acceptable to you and any company on whose behalf you are acting, please do not provide any Feedback.

Feedback on this document should be directed to wsi_secprofile_comment@mp.ws-i.org.


Table of Contents

Basic Security Profile Version 1.0 (2007-03-30) Errata. 1

Errata for Basic Security Profile 1.0. 3

Section 14.2, SecurityTokenReference, Kerberos Token. 3

Section 12.2.4, DName Encoding Rules Update for XML Signature. 4

Correct Error in SAML Token Profile for AssertionIDReference. 5

Section 2.2, Delete Namespace Prefix for samlp. 5

Section 15.2.3, Correct Case for AssertionIDReference. 5

Section 15.2.3, Explanation of SAML Token Profile Error 6

Error in WS-I Template for Basic Security Profiles. 6

Appendix A: Referenced Specifications. 6

Errata for Basic Security Profile 1.0

Section 14.2, SecurityTokenReference, Kerberos Token

Replace existing second valid example in Section 14.2.

Existing text/example:

CORRECT:

<!-- This example is correct for any SECURE_ENVELOPE after the initial SECURE_ENVELOPE of an authenticated message exchange.  -->

<wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'

               xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'

               xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'

               xmlns:ds='http://www.w3.org/2000/09/xmldsig#' >

   <wsse:SecurityTokenReference>

      <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"

                          ValueType="http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ#"/>

         EZzCCA9CgAwIB...

      </wsse:KeyIdentifier>

   </wsse:SecurityTokenReference>

...

</wsse:Security>

Replacement text/example:

CORRECT:

<!-- This example is correct for any SECURE_ENVELOPE after the initial SECURE_ENVELOPE of an authenticated message exchange.  -->

<wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'

               xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'

               xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'

                xmlns:ds='http://www.w3.org/2000/09/xmldsig#' >

   <wsse:SecurityTokenReference>

      <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"

                          ValueType="http://docs.oasis-open.org/wss/oasis-wss-kerberos-tokenprofile-1.1#Kerberosv5APREQSHA1"/>

         EZzCCA9CgAwIB...

      </wsse:KeyIdentifier>

   </wsse:SecurityTokenReference>

...

</wsse:Security>

Section 12.2.4, DName Encoding Rules Update for XML Signature

Existing text:

Per XML Signature, DNames are encoded as follows:

·        Consider the string as consisting of Unicode characters.

·        Escape occurrences of the following special characters by prefixing it with the "\" character:

o   a "#" character occurring at the beginning of the string

o   one of the characters ",", "+", """, "\", "<", ">" or ";"

·        Escape all occurrences of ASCII control characters (Unicode range \x00 - \x1f) by replacing them with "\" followed by a two digit hex number showing its Unicode number.

·        Escape any trailing white space by replacing "\ " with "\20".

·        Since a XML document logically consists of characters, not octets, the resulting Unicode string is finally encoded according to the character encoding used for producing the physical representation of the XML document.

Replacement text:

Per XML Signature, DNames are encoded as follows:

·        To encode a distinguished name (X509IssuerSerial, X509SubjectName, and KeyName if appropriate), the encoding rules in section 2 of RFC 4514 SHOULD be applied, except that the character escaping rules in section 2.4 of RFC 4514 MAY be augmented as follows:

o   Escape all occurrences of ASCII control characters (Unicode range \x00 - \x1f) by replacing them with "\" followed by a two digit hex number showing its Unicode number.

o   Escape any trailing space characters (Unicode \x20) by replacing them with "\20", instead of using the escape sequence "\ ".

·        Since a XML document logically consists of characters, not octets, the resulting Unicode string is finally encoded according to the character encoding used for producing the physical representation of the XML document.

Note, the reference in Appendix A to XML Signature Syntax and Processing is correct.

Correct Error in SAML Token Profile for AssertionIDReference

Section 2.2, Delete Namespace Prefix for samlp.

Delete this namespace prefix listed in Section 2.2.

samlp - "urn:oasis:names:tc:SAML:1.0:protocol"

Section 15.2.3, Correct Case for AssertionIDReference

Correct case of AssertionIDReference in R6607.

Existing text:

R6607 Any AuthorityKind attribute of a SAML_AUTHORITY_BINDING MUST have a value of saml:AssertionIdReference. C

Replacement text:

R6607 Any AuthorityKind attribute of a SAML_AUTHORITY_BINDING MUST have a value of saml:AssertionIDReference. C

Section 15.2.3, Explanation of SAML Token Profile Error

Add descriptive text to Section 15.2.3 to describe an error in SAML Token Profile 1.0.

SAML Token Profile 1.0 specified an incorrect QName to reference external SAML 1.1 assertions for the AssertionIDReference. This element is defined in Assertions and Protocols for SAML (SAML assertion schema). SAML Protocol uses the AssertionIDReference. The namespace and the element name were incorrectly specified - samlp:AssertionIdReference rather than saml:AssertionIDReference in the SAML Token Profiles. This profile references the correct QName. The SAML 1.1 assertion schema is the normative reference to this element referenced in this profile.

To encourage backward compatibility and acknowledge the errors, this profile suggests interoperable implementations accept either case - AssertionIdReference or AssertionIDreference.

Error in WS-I Template for Basic Security Profiles

The template used for these profiles contains an error where Section 3 is duplicated. Therefore, Section 3 occurs twice in Basic Security Profile 1.0.  This Errata document acknowledges this issue. This Errata references the section numbers as specified in the Final Material of Basic Security Profile (with two Chapter 3).

Appendix A: Referenced Specifications

The referenced specifications applicable to this document are found in Basic Security Profile 1.0.