View Issue Details

IDProjectCategoryView StatusLast Update
000583610000-018: Role-Based SecuritySpecpublic2021-09-21 19:46
ReporterThomas Merk Assigned ToMatthias Damm  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Fixed in Version1.05.00 
Summary0005836: IdentityMappingType THUMBPRINT_2
Description

This criterieType is the only available for X509 user certificates.
However the thumbprint of a certificate is "only" a hash, which changes whenever a certificate is renewed.
So if any user certificate is renewed the "identities" of the Roles have to be adapted.
It is very unlikely that the hashes of 2 certifiactes are equal, but at least in theory it can happen.

The "real" information of a user certificate is the subject, where the user name shall be stored.
The subject is also used for "ClientUserId" of the AuditEventType.

I would suggest to add a new criteriaType (e.g. SUBJECT_7) which can be used for X509 certificates (or its CA).

TagsNo tags attached.
Commit Version
Fix Due Date

Relationships

related to 0006940 assignedPaul Hunkar Compliance Test Tool (CTT) Unified Architecture IdentityMappingType THUMBPRINT_2 

Activities

Jeff Harding

2020-12-09 18:11

developer   ~0013433

Need to reassign this to Part 18

Matthias Damm

2021-03-02 17:13

developer   ~0013895

I got the following (similar) feedback from my colleagues:

The string representation of the Thumbprint is not defined.
A HEX representation is assumed but we need to define also if the letters are upper case or lower case.

But even if the string format would be defined, this needs to be updated always when the certificate is updated.

It would not be possible to separate trust list management from identity mapping.

We should have another criteriaType CommonName

Matthias Damm

2021-03-02 18:39

developer   ~0013900

Added clarification to
4.4.3 IdentityMappingRuleType
The thumbprint shall be encoded as hexadecimal numbers with upper case characters and without spaces.

Added new type to
Table 8 – IdentityCriteriaType Values
SubjectName
8
The rule specifies the Common Name (CN) of a User or CA Certificate.

Added in
OPC 10000-18 - UA Specification Part 18 - Role-Based Security 1.05.0 Draft7.docx

Jim Luth

2021-05-11 15:43

administrator   ~0014350

Agreed to changes in telecon.

Matthias Damm

2021-09-21 17:45

developer   ~0014896

We need to clarify a comment for 1.05.0 RC regarding the ordering of indetical names in the criteria string.

Matthias Damm

2021-09-21 18:59

developer   ~0014904

Updated text for multiple entries for one name:
If one name is used multiple times in the certificate, the name is also repeated in the criteria. The entries with the same name are entered in the order they appear in the Certificate.

Jim Luth

2021-09-21 19:46

administrator   ~0014905

Agreed to changes edited in Virtual F2F.

Issue History

Date Modified Username Field Change
2020-07-28 08:32 Thomas Merk New Issue
2020-08-25 15:58 Jim Luth Assigned To => Jeff Harding
2020-08-25 15:58 Jim Luth Status new => assigned
2020-12-09 18:11 Jeff Harding Note Added: 0013433
2020-12-09 18:11 Jeff Harding Project 10000-005: Information Model => 10000-018: Role-Based Security
2020-12-09 18:11 Jeff Harding Assigned To Jeff Harding => Matthias Damm
2021-03-02 17:13 Matthias Damm Note Added: 0013895
2021-03-02 18:39 Matthias Damm Status assigned => resolved
2021-03-02 18:39 Matthias Damm Resolution open => fixed
2021-03-02 18:39 Matthias Damm Note Added: 0013900
2021-05-11 15:41 Jim Luth Issue cloned: 0006940
2021-05-11 15:41 Jim Luth Relationship added related to 0006940
2021-05-11 15:43 Jim Luth Status resolved => closed
2021-05-11 15:43 Jim Luth Fixed in Version => 1.05
2021-05-11 15:43 Jim Luth Note Added: 0014350
2021-09-21 17:45 Matthias Damm Status closed => feedback
2021-09-21 17:45 Matthias Damm Resolution fixed => reopened
2021-09-21 17:45 Matthias Damm Note Added: 0014896
2021-09-21 18:59 Matthias Damm Status feedback => resolved
2021-09-21 18:59 Matthias Damm Resolution reopened => fixed
2021-09-21 18:59 Matthias Damm Note Added: 0014904
2021-09-21 19:46 Jim Luth Status resolved => closed
2021-09-21 19:46 Jim Luth Fixed in Version 1.05 => 1.05.00
2021-09-21 19:46 Jim Luth Note Added: 0014905