EKMI SOAP Profile Version 1.0
Committee Specification Draft 01
19 July 2011
Specification URIs:
This version:
http://docs.oasis-open.org/ekmi/ekmi-soap-profile/v1.0/csd01/ekmi-soap-profile-v1.0-csd01.odt (Authoritative)
http://docs.oasis-open.org/ekmi/ekmi-soap-profile/v1.0/csd01/ekmi-soap-profile-v1.0-csd01.html
http://docs.oasis-open.org/ekmi/ekmi-soap-profile/v1.0/csd01/ekmi-soap-profile-v1.0-csd01.pdf
Previous version:
N/A
Latest version:
http://docs.oasis-open.org/ekmi/ekmi-soap-profile/v1.0/ekmi-soap-profile-v1.0.odt (Authoritative)
http://docs.oasis-open.org/ekmi/ekmi-soap-profile/v1.0/ekmi-soap-profile-v1.0.html
http://docs.oasis-open.org/ekmi/ekmi-soap-profile/v1.0/ekmi-soap-profile-v1.0.pdf
Technical Committee:
OASIS Enterprise Key Management Infrastructure (EKMI) TC
Chairs:
Editor:
Tomas Gustavsson, PrimeKey Solutions AB
Related work:
This specification is related to:
Abstract:
This profile specifies how Enterprise Key Management Infrastructure (EKMI) Symmetric Key Services Markup Language (SKSML) messages are transferred securely using a SOAP Version 1.2 envelope with Web Services Security (WSS) security features.
Status:
This document was last revised or approved by the OASIS Enterprise Key Management Infrastructure (EKMI) TC on the above date. The level of approval is also listed above. Check the “Latest version” location noted above for possible later revisions of this document.
Technical Committee members should send comments on this specification to the Technical Committee’s email list. Others should send comments to the Technical Committee by using the “Send A Comment” button on the Technical Committee’s web page at http://www.oasis-open.org/committees/ekmi/.
For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the Technical Committee web page (http://www.oasis-open.org/committees/ekmi/ipr.php).
Citation format:
When referencing this specification the following citation format should be used:
[EKMI-SOAP-Profile]
EKMI SOAP Profile Version 1.0. 19 July 2011. OASIS Committee Specification Draft 01. http://docs.oasis-open.org/ekmi/ekmi-soap-profile/v1.0/csd01/ekmi-soap-profile-v1.0-csd01.html.
Notices
Copyright © OASIS Open 2011. All Rights Reserved.
All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification.
OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this specification by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS may include such claims on its website, but disclaims any obligation to do so.
OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims.
The names "OASIS" and “SKSML” are trademarks of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see http://www.oasis-open.org/who/trademark.php for above guidance.
Table of Contents
The EKMI SOAP v1.2 profile specifies how the SKSML messages defined in EKMI v1.0 is transferred over SOAP messaging using WSS for authenticity and integrity protection.
1.1 Terminology
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in IETF RFC 2119.
1.2 Normative References
[RFC 2119] S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. IETF RFC 2119, March 1997. http://www.ietf.org/rfc/rfc2119.txt.
[AES] Advanced Encryption Standard.NIST FIPS 197. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
[RFC 2119] S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. IETF RFC 2119, March 1997.
[SOAP] SOAP v1.2 Specification. W3C Recommendation. 27 April 2007. http://www.w3.org/TR/soap12
[XMLEncryption] XML Encryption Syntax and Processing. W3C Recommendation. 10 Dec 2002.
http://www.w3.org/TR/xmlenc-core/
[XMLSignature] XML Signature Syntax and Processing. W3C Recommendation. 10 June 2008.
http://www.w3.org/TR/xmldsig-core/
[WSS] OASIS Standard, “Web Services Security – SOAP Message Security 1.0”, March 2004. http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf
1.3 Non-normative References
[Reference] [reference citation]
When SKSML messages are transferred using SOAP the SOAP message is secured using WSS. The actual SKSML content is placed in the SOAP body. The rest of the message is constructed of SOAP envelope and WSS elements.
The SOAP profile relies on the SOAP standard v1.2 and the Web Services Security (WSS) standard 1.0, which in turn supports the use of XML Signature and XML Encryption within the SOAP Header. Relying only the on the WSS profile that uses RSA cryptographic key-pairs and digital certificates, SKSML uses the digital signatures for authenticity and message-integrity, while using RSA-encryption for confidentiality.
The general structure of the SOAP message is constructed of the following elements.
<SOAP Envelope>
<SOAP Header>
<WSSE Security Attributes/>
</SOAP Header>
<SOAP Body>
<SKSML Request/Response/>
</SOAP Body>
</SOAP Envelope>
The message below shows a SKSML SymkeyRequest. While the SymkeyRequest element is very simple, the Web Service Security (WSS) envelope – which provides security for the SKSML messages in the SOAP profile – expands the size of the message. The SymkeyRequest, is displayed below in its entirety, with its WSS envelope. Please note that some content – such as Base64 encoded binary content - has been reformatted for aesthetics and clarity of the XML elements.
[b01] <?xml
version='1.0' ?>
[b02] <env:Envelope
xmlns:env="http://www.w3.org/2003/05/soap-envelope">
[b03] <env:Header>
[b04] <wsse:Security
[b05] xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/
[b06] oasis-200401-wss-wssecurity-secext-1.0.xsd"
[b07] env:mustUnderstand="true">
[b08] <wsse:BinarySecurityToken
[b09] xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
[b10] oasis-200401-wss-wssecurity-utility-1.0.xsd"
[b11] EncodingType="http://docs.oasis-open.org/wss/2004/01/
[b12] oasis-200401-wss-soap-message-security-1.0#Base64Binary"
[b13] ValueType="http://docs.oasis-open.org/wss/2004/01/
[b14] oasis-200401-wss-x509-token-profile-1.0#X509v3"
[b15] wsu:Id="XWSSGID-1172790302111-1738806553">
[b16] MIIDfDCCAmSgAwIBAgIIAe/AvliGc3AwDQYJKoZIhvcNAQELBQAwZzEmMCQGA1UEAxMdU3Ryb25nab
[b17] S2V5IERFTU8gU3Vib3JkaW5hdGUgQ0ExJDAiBgNVBAsTG0ZvciBTdHJvbmdLZXkgREVNTyBVc2Ug1d
[b18] T25seTEXMBUGA1UEChMOU3Ryb25nQXV0aCBJbmMwHhcNMDYwNzI1MTcxMDMwWhcNMDcwNzIa64dd3k
[b19] A1UECxMbRm9yIFN0cm9uZ0tleSBERU1PIFVzZSBPbmx5MRcwFQYDVQQKEw5TdHJvbmdBdXRoIEl2da
[b20] S2V5IERFTU8gU3Vib3JkaW5hdGUgQ0ExJDAiBgNVBAsTG0ZvciBTdHJvbmdLZXkgREVNTyBVc2Ugia
[b21] T25seTEXMBUGA1UEChMOU3Ryb25nQXV0aCBJbmMwHhcNMDYwNzI1MTY0NjEwWhcNMDcwNzI1s34wdd
[b22] NjEwWjBpMREwDwYKCZImiZPyLGQBARMBOTEVMBMGA1UEAxMMU0tTIFNlcnZlci0xMSQwIgYDVQsdw2
[b23] ExtGb3IgU3Ryb25nS2V5IERFTU8gVXNlIE9ubHkxFzAVBgNVBAoTDlN0cm9uZ0F1dGggSW5jMIIBd2
[b24] NBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAztppqRoU5A8plxx1Rz1QEUnlAAM1D5g9+isIr3wxa
[b25] hbwjtFSMYilnY4iV77xU/nsMOnMZ7RxsLYKdCzQ1ODVYqQwqmAvaJ5Z6SVy34gZ51YG+rSWE3NjFsd
[b26] bOXW8RJYA/Tn6Lmht/qngrcaqqmtP0cAAiMRZOWtCTmC2K/LEqDabXSyU6Hh8ySNE3njybvmWpresf
[b27] zsYokTdvnWQqT6tKo1OwJsdJ1+hxM7DrnMLvMNq5reINfsKhDdX17wzhrBUx+hiYA/qo8tMXkL6wsd
[b28] 4PN5dYugtzpSzIdUO5tIg58Avhzwo7hy5oofBlKFY22CeljQ36u0bMjuyGj6UYHs3rdfdfsds32rda
[b29] YzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyAmxMZhYA8wHJ4UE4b61s51JVWe4Fygj4MCf3a
[b30] hvcNAQELBQADggEBACK05PtvZD4WPglOe=
[b31] </wsse:BinarySecurityToken>
[b32] <ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
[b33] <ds:SignedInfo>
[b34] <ds:CanonicalizationMethod
[b35] Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
[b36] <InclusiveNamespaces
[b37] xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"
[b38] PrefixList="wsse env"/>
[b39] </ds:CanonicalizationMethod>
[b40] <ds:SignatureMethod
[b41] Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
[b42] <ds:Reference URI="#XWSSGID-1172790300636-653454040">
[b43] <ds:DigestMethod
[b44] Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
[b45] <ds:DigestValue>
[b46] lU4m+rp4oebgl9g+t3nRaZYqUlE=
[b47] </ds:DigestValue>
[b48] </ds:Reference>
[b49] </ds:SignedInfo>
[b50] <ds:SignatureValue>
[b51] svStAvBRRrF+g2biPl7uWHkJTQPIl8t4phMbOZQsZlQcn36tcMSj/a4+4LPNfOB3Y8yO2lr1Oa1
[b52] fGqCPAWZNuEH34VQEM196rRwV258mgp8uwpXEYJIgPJqg89w8+/NdaODccLQ2Bizu7QM/HSM2ab
[b53] ogNJwqmbSyIazOsnOcU=
[b54] </ds:SignatureValue>
[b55] <ds:KeyInfo>
[b56] <wsse:SecurityTokenReference
[b57] xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
[b58] oasis-200401-wss-wssecurity-utility-1.0.xsd"
[b59] wsu:Id="XWSSGID-1172790300633-442423344">
[b60] <wsse:Reference
[b61] URI="#XWSSGID-1172790302111-1738806553"
[b62] ValueType="http://docs.oasis-open.org/wss/2004/01/
[b63] oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
[b64] </wsse:SecurityTokenReference>
[b65] </ds:KeyInfo>
[b66] </ds:Signature>
[b67] <wsu:Timestamp
[b68] xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
[b69] oasis-200401-wss-wssecurity-utility-1.0.xsd"
[b70] wsu:Id="XWSSGID-1172790300637708871805">
[b71] <wsu:Created>
[b72] 2007-03-01T23:05:00Z
[b73] </wsu:Created>
[b74] <wsu:Expires>
[b75] 2007-03-01T23:05:05Z
[b76] </wsu:Expires>
[b77] </wsu:Timestamp>
[b78] </wsse:Security>
[b79] </env:Header>
[b80] <env:Body
[b81] xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
[b82] oasis-200401-wss-wssecurity-utility-1.0.xsd"
[b83] wsu:Id="XWSSGID-1172790300636-653454040">
[b84] <ekmi:SymkeyRequest
[b85] xmlns:ekmi="http://docs.oasis-open.org/ekmi/2008/01">
[b86] <ekmi:GlobalKeyID>10514-0-0</ekmi:GlobalKeyID>
[b87] </ekmi:SymkeyRequest>
[b88] </env:Body>
[b89] </env:Envelope>
[b01] is the XML declaration which specifies the version of XML being used.
[b02] is the start of the SOAP envelope and identifies the namespaces to which this XML conforms, and the location of their XML Schema Definitions (XSD).
[b03] is the start of the SOAP header where the XML signature fields are located.
[b04] to [b07] is the start of the WSS part and identifies the namespaces for WSS.
[b08] to [b31] is the WSS security token. This is the X.509 certificate the SKSML client uses to authenticate the SOAP message with the SKSML server.
[b32] is the start of the XMLSignature digital signature that ensures the integrity of the SOAP message.
[b33] is the start of the XMLSignature SignedInfo part, i.e. the part that is actually signed. We have added indentation to this part, while in fact it is better practice to form the <SignedInfo> element with no whitespace before the elements and just a single newline after each line, in order to avoid some canonicalization issues.
[b34] to [b39] specifies the canonicalization method used, in this case Exclusive XML Canonicalization.
[b40] and [b41] specifies the signature algorithm used, in this case SHA1WithRSA.
[b42] to [b48] specifies the digest algorithm used and the digest value of the input string, i.e. the data to be signed, i.e. the contents of the Body element.
[b50] to [b54] is the signature value, i.e. the RSA encrypted digest from the DigestValue element.
[b55] to [b65] is an XMLSignature KeyInfo element that contains a WSS SecurityTokenReference. This is merely a reference to the X.509 certificate specified in the BinarySecurityToken above.
[b67] to [b77] is an WSS TimeStamp token. This is an optional element that specifies a creation time and an expiration time of the enclosing context.
[b80] is the start of the SOAP body that contains the actual SKSML message.
[b84] to [b87] is the SKSML message, which this SOAP message encapsulated the protects using WSS.
# Conformance
Conforming implementations MUST support SOAP v1.2 and WSS v1.0.
Conforming implementations MUST support XML Signature for authenticity and integrity protection of SOAP messages.
Conforming implementations MUST support RSAWithSHA1 and RSAWithSHA256 digital signature algorithms.
Conforming implementations MUST support SHA1 and SHA256 digest algorithms.
Implementations MAY support XML Encryption for confidentiality of SOAP messages.
Implementations MAY support other digital signature and digest algorithms.
The following individuals have participated in the creation of this specification and are gratefully acknowledged
Participants:
Ezer Farhi, Associate
Benjamin Tomhave, Btplc
Tim Bruce, CA
June Leung, Associate
Shaheen N Abdul Jabbar, Individual
Ken Adler, Individual
Stefan Drees. Individual
Marc Massar, Individual
Michael Nelson, Individual
Davi Ottenheimer, Individual
Allen Schaaf, Individual
Harry Haury, NuParadigm Government Systems, Inc.
Tomas Gustavsson, PrimeKey Solutions AB
Anil Saldhana, Red Hat
Arshad Noor, Associate
Sandi Roddy, US Department of Defense (DoD)
Thomas Hardjono, Associate
Upendra Mardikar, Associate
Eric Lengvenis, Wells Fargo
|
Version |
Date |
Author |
Notes |
|
DRAFT 1 |
June 19, 2011 |
Tomas Gustavsson |
Initial version |
|
|
|
|
|