View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000212810000-004: Servicespublic2012-07-18 21:452014-06-10 17:25
ReporterLiam Power Assigned ToMatthias Damm  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.01 
Fixed in Version1.03 
Summary0002128: User Token - Username Password Facet Location
Description

It is proposed to add the new user token - username password facet to the core server facet. My understanding is that this functionality was present in the core server facet historically. Previously it was acceptable to send the password unencrypted over a connection even when using an insecure channel. This is important as it allows the deployment of Micro and Nano Embedded Device Servers that do not contain any PKI functionality.

Looking at Part 4 it seems that there is some ambiguity over whether or not the password must be encrypted with some text stating "shall" and some text stating "should".

We need to ensure that if this functionality is going to be retained in the Core Server Facet that servers can still send passwords in clear text over insecure connections, otherwise many deployed servers will be made non-compliant. Most OEMs implementing Micro and Nano embedded device servers do not want to support PKI infrastructure within these servers at present. These servers are no less secure than the many field bus installations that they replace or complement.

Please clarify the language in part 4 to make it clear that while not recommended, it is acceptable to send unencrypted passwords over insecure connections.

TagsNo tags attached.
Commit Version
Fix Due Date

Activities

Matthias Damm

2012-07-24 16:26

developer   ~0003907

The only place where "shall" is used in this context is after Table 168 – UserIdentityToken parameterTypeIds.
"Some tokens include a secret such as a password which the Server will accept as proof. In order to protect these secrets the Token shall be encrypted before it is passed to the Server."

This statement is very generic, details are defined in the profiles.

We should add the following statement (next version):
The profiles in Part 7 specify the options where encryption shall be applied or where it is optional.

Matthias Damm

2014-06-04 13:25

developer   ~0005343

Change applied in 65E-62541-4-Ed2-IS-CDV-FE-to-kog - Editor Updates.doc

Added the following sentence to 7.35.1:
IEC 62541-7specify the options where encryption shall be applied or where it is optional.

Jim Luth

2014-06-10 17:25

administrator   ~0005358

Agreed to edited changes in doc.

Issue History

Date Modified Username Field Change
2012-07-18 21:45 Liam Power New Issue
2012-07-24 16:26 Matthias Damm Note Added: 0003907
2012-07-24 16:26 Matthias Damm Project 10000-004: Services => Feature Requests
2012-07-24 16:27 Matthias Damm Status new => acknowledged
2013-09-10 16:57 Jim Luth Project Feature Requests => 10000-004: Services
2013-09-10 16:57 Jim Luth Status acknowledged => assigned
2013-09-10 16:57 Jim Luth Assigned To => Matthias Damm
2014-06-04 13:25 Matthias Damm Status assigned => resolved
2014-06-04 13:25 Matthias Damm Resolution open => fixed
2014-06-04 13:25 Matthias Damm Note Added: 0005343
2014-06-10 17:25 Jim Luth Status resolved => closed
2014-06-10 17:25 Jim Luth Note Added: 0005358
2014-06-10 17:25 Jim Luth Fixed in Version => 1.03