0002320: Encryption for user identity tokens (e.g. password)

ID	Project	Category	View Status	Date Submitted	Last Update

0002320	10000-004: Services		public	2013-01-11 19:00	2013-11-25 18:23

Reporter	Karl Deiretsbacher	Assigned To	Matthias Damm
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.02
Fixed in Version	1.03

Summary	0002320: Encryption for user identity tokens (e.g. password)
Description	Chapter 7.35 contains the following description: "Some tokens include a secret such as a password which the Server will accept as proof. In order to protect these secrets the Token shall be encrypted before it is passed to the Server." and "It is recommended that Applications never set the SecurityPolicy to None for UserTokens that include a secret ..." However, with Transport=TLS and SecurityPolicy=None the statements in this section are not or not completely true.
Tags	No tags attached.

Commit Version
Fix Due Date

Matthias Damm 2013-10-09 17:42 developer ~0005042	Added clarification that the shall is related to what the client needs to do if requested by the server. Added clarification that encryption is recommended if SecurityPolicy is NONE and no transport layer encryption is available. Resolved in document IEC 62541-4 - Services [Pre-CDV] 1.02.06.doc

Jim Luth 2013-11-25 18:23 administrator ~0005144	Agreed to changes in telecon.

Date Modified	Username	Field	Change
2013-01-11 19:00	Karl Deiretsbacher	New Issue
2013-01-15 17:26	Jim Luth	Status	new => assigned
2013-01-15 17:26	Jim Luth	Assigned To	=> Matthias Damm
2013-10-09 17:42	Matthias Damm	Status	assigned => resolved
2013-10-09 17:42	Matthias Damm	Resolution	open => fixed
2013-10-09 17:42	Matthias Damm	Note Added: 0005042
2013-11-25 18:23	Jim Luth	Status	resolved => closed
2013-11-25 18:23	Jim Luth	Note Added: 0005144
2013-11-25 18:23	Jim Luth	Fixed in Version	=> 1.03