Wednesday 13 June 2007

Proxy Certificates and WS-Security don't Mix!

With the current NERC DataGrid system proxy certificates provide a means to authenticate users with Attribute Authorities but problems arise with integrating them with SOAP services using WS-Security.

A SOAP interface was used for NDG Alpha but without WS-Security. For Beta delivery we want to have a fully WS-Security compliant interface to facilitate interoperability with Java toolkits and other languages as required. This was an aim for the related DEWS project.

WS-Security with DEWS

For DEWS it was partially successful: a problem arises in how to communicate the chain of trust from proxy certificate back to the CA certificate: CA Certificate <- user certificate <- proxy certificate. (Ref. http://www.globus.org/toolkit/docs/4.0/security/key-index.html#s-security-key-delegation).

In the WS-Security schema, the BinarySecurityToken element can be set with the X.509 certificate for the recipient to use to validate the signature but in the case of a proxy certificate you would need to pass both the proxy and the user certificate. For DEWS, proxy certificates were dispensed with because of this difficulty or also more importantly, the fact that the Java WebSphere and WSS4J toolkits that the Python code interfaced with use fixed certificate settings set at start up. Proxy certificates are generated at runtime so this is a non-starter.
Instead a server certificate was used for signing messages to an Attribute Authority passing the user ID as a separate element in the message.

Passing a certificate chain with WS-Security

The solution would seem to be to use the X509PKIPathv1 ValueType for the token enabling a chain of certificates to be included. (http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-x509TokenProfile.htm#_Toc118727691) This has now been prototyped in Python. There is still a concern though that although the standard supports this, toolkits probably don't. WebSphere includes this option in the WS-Security settings but it's not clear how you create the chain from the certificates in the key store. I've not explored this further. WSS4J I'm told supports the use of X509PKIPathv1 but it's buried deep inside the code and so hard to configure without modifying. This could be pursued further and perhaps as the standard becomes more established support will improving in the various toolkits. I've not as yet looked beyond WebSphere and WSS4J. Ultimately the question arises as to how important are proxy certificates and WS-Security to NDG Security architecture?

No comments: