View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0009919 | 10000-004: Services | Spec | public | 2024-10-16 13:45 | 2024-10-17 15:33 |
| Reporter | Randy Armstrong | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | new | Resolution | open | ||
| Summary | 0009919: Need to restrict the security policies allowed for user tokens. | ||||
| Description | https://reference.opcfoundation.org/Core/Part4/v105/docs/7.41.4 Need to restrict the security policies allowed for user tokens. If ED is SecurityMode None then UT many be any SecurityPolicy from other EDs supported by the Server that use the same Certificate as provided in the ED. If ED is not None + SignOnly, then the UT SecurityPolicy is not specified. If ED is not None +EncryptAndSign the UT SecurityPolicy is not specified. If ED is None and TLS for transport then UT SecurityPolicy may be None (this assumes TLS is always encrypted). | ||||
| Tags | No tags attached. | ||||
| Commit Version | |||||
| Fix Due Date | |||||
|
|
I don't think it's important to limit the UserTokenPolicies. Instead, it would be important to define that 'UserNameIdentityToken.encryptionAlgorithm' must not be used and that the 'UserNameIdentityToken.policyId' should always be used instead to define the encryption algorithm. That way the server can decide which algorithms are valid and the clients cannot overcome that. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-10-16 13:45 | Randy Armstrong | New Issue | |
| 2024-10-16 15:31 | Randy Armstrong | Description Updated | |
| 2024-10-16 15:32 | Randy Armstrong | Description Updated | |
| 2024-10-17 15:33 | Jouni Aro | Note Added: 0021918 |
