1 2 Web Services Security: 3 SOAP Message Security 4 Working Draft 17, Wednesday, 27 August 2003 5 Document identifier: 6 WSS: SOAP Message Security -17 7 Location: 8 http://www.oasis-open.org/committees/documents.php 9 Editors: Anthony Nadalin IBM Chris Kaler Microsoft Phillip Hallam-Baker VeriSign Ronald Monzillo Sun 10 Contributors: Gene Thurston AmberPoint Frank Siebenlist Argonne National Lab Merlin Hughes Baltimore Technologies Irving Reid Baltimore Technologies Peter Dapkus BEA Hal Lockhart BEA Symon Chang CommerceOne Thomas DeMartini ContentGuard Guillermo Lao ContentGuard TJ Pannu ContentGuard Shawn Sharp Cyclone Commerce Ganesh Vaideeswaran Documentum Sam Wei Documentum John Hughes Entegrity Tim Moses Entrust Toshihiro Nishimura Fujitsu Tom Rutt Fujitsu Yutaka Kudo Hitachi WSS: SOAP Message Security-17 27 August 2003 Copyright © OASIS Open 2002. All Rights Reserved. Page 1 of 53 Jason Rouault HP Bob Blakley IBM Joel Farrell IBM Satoshi Hada IBM Maryann Hondo IBM Hiroshi Maruyama IBM David Melgar IBM Anthony Nadalin IBM Nataraj Nagaratnam IBM Wayne Vicknair IBM Kelvin Lawrence IBM (co-Chair) Don Flinn Individual Bob Morgan Individual Bob Atkinson Microsoft Keith Ballinger Microsoft Allen Brown Microsoft Paul Cotton Microsoft Giovanni Della-Libera Microsoft Vijay Gajjala Microsoft Johannes Klein Microsoft Scott Konermann Microsoft Chris Kurt Microsoft Brian LaMacchia Microsoft Paul Leach Microsoft John Manferdell Microsoft John Shewchuk Microsoft Dan Simon Microsoft Hervey Wilson Microsoft Chris Kaler Microsoft (co-Chair) Prateek Mishra Netegrity Frederick Hirsch Nokia Senthil Sengodan Nokia Lloyd Burch Novell Ed Reed Novell Charles Knouse Oblix Steve Anderson OpenNetwork (Sec) Vipin Samar Oracle Jerry Schwarz Oracle Eric Gravengaard Reactivity Stuart King Reed Elsevier Andrew Nash RSA Security Rob Philpott RSA Security Peter Rostin RSA Security Martijn de Boer SAP Pete Wenzel SeeBeyond Jonathan Tourzan Sony Yassir Elley Sun Microsystems Jeff Hodges Sun Microsystems Ronald Monzillo Sun Microsystems Jan Alexander Systinet Michael Nguyen The IDA of Singapore Don Adams TIBCO WSS: SOAP Message Security-17 27 August 2003 Copyright © OASIS Open 2002. All Rights Reserved. Page 2 of 53 John Weiland US Navy Phillip Hallam-Baker VeriSign Mark Hays Verisign Hemma Prafullchandra VeriSign 11 12 Abstract: 13 This specification describes enhancements to SOAP messaging to provide message 14 integrity, and single message authentication. The specified mechanisms can be used to 15 accommodate a wide variety of security models and encryption technologies. 16 This specification also provides a general-purpose mechanism for associating security 17 tokens with message content. No specific type of security token is required the 18 specification is designed to be extensible (e.g. support multiple security token formats). 19 For example, a client might provide one format for proof of identity and provide another 20 format for proof that they have a particular business certification. 21 Additionally, this specification describes how to encode binary security tokens, a 22 framework for XML-based tokens, and how to include opaque encrypted keys. It also 23 includes extensibility mechanisms that can be used to further describe the characteristics 24 of the tokens that are included with a message. 25 Status: 26 This is an interim draft. Please send comments to the editors. 27 28 Committee members should send comments on this specification to the [email protected] 29 open.org list. Others should subscribe to and send comments to the wss- 30 [email protected] list. To subscribe, visit http://lists.oasis- 31 open.org/ob/adm.pl. 32 For information on whether any patents have been disclosed that may be essential to 33 implementing this specification, and any offers of patent licensing terms, please refer to 34 the Intellectual Property Rights section of the Security Services TC web page 35 (http://www.oasis-open.org/who/intellectualproperty.shtml). WSS: SOAP Message Security-17 27 August 2003 Copyright © OASIS Open 2002. All Rights Reserved. Page 3 of 53 36 Table of Contents 37 1 Introduction........................................................................................................................... 6 38 1.1 Goals and Requirements .................................................................................................... 6 39 1.1.1 Requirements ..............................................................................................................6 40 1.1.2 Non-Goals ................................................................................................................... 6 41 2 Notations and Terminology................................................................................................... 8 42 2.1 Notational Conventions....................................................................................................... 8 43 2.2 Namespaces....................................................................................................................... 8 44 2.3 Terminology........................................................................................................................ 9 45 3 Message Protection Mechanisms....................................................................................... 10 46 3.1 Message Security Model................................................................................................... 10 47 3.2 Message Protection ..........................................................................................................10 48 3.3 Invalid or Missing Claims .................................................................................................. 11 49 3.4 Example............................................................................................................................ 11 50 4 ID References .................................................................................................................... 13 51 4.1 Id Attribute ........................................................................................................................ 13 52 4.2 Id Schema ........................................................................................................................ 13 53 5 Security Header.................................................................................................................. 15 54 6 Security Tokens.................................................................................................................. 17 55 6.1 Attaching Security Tokens ................................................................................................ 17 56 6.1.1 Processing Rules....................................................................................................... 17 57 6.1.2 Subject Confirmation ................................................................................................. 17 58 6.2 User Name Token.............................................................................................................17 59 6.2.1 Usernames ................................................................................................................ 17 60 6.3 Binary Security Tokens..................................................................................................... 18 61 6.3.1 Attaching Security Tokens ......................................................................................... 18 62 6.3.2 Encoding Binary Security Tokens.............................................................................. 18 63 6.4 XML Tokens...................................................................................................................... 19 64 6.4.1 Identifying and Referencing Security Tokens............................................................. 19 65 7 Token References .............................................................................................................. 20 66 7.1 SecurityTokenReference Element .................................................................................... 20 67 7.2 Direct References ............................................................................................................. 21 68 7.3 Key Identifiers................................................................................................................... 22 69 7.4 Embedded References ..................................................................................................... 23 70 7.5 ds:KeyInfo......................................................................................................................... 24 71 7.6 Key Names ....................................................................................................................... 24 72 8 Signatures .......................................................................................................................... 25 73 8.1 Algorithms......................................................................................................................... 25 74 8.2 Signing Messages ............................................................................................................26 WSS: SOAP Message Security-17 27 August 2003 Copyright © OASIS Open 2002. All Rights Reserved. Page 4 of 53 75 8.3 Signing Tokens................................................................................................................. 26 76 8.4 Signature Validation.........................................................................................................