View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006304CTT UA Scripts1 - Script Issuepublic2020-12-07 18:502022-08-02 20:04
ReporterJim Luth Assigned ToAlexander Allmendinger  
PrioritynormalSeverityminorReproducibilityhave not tried
Status assignedResolutionopen 
Summary0006304: Table 187 – EncryptionAlgorithm selection
Description

Table should be expanded to include MessageSecurityMode and make it clear that when Encryption is enabled the UserToken SecurityPolicy can be None, otherwise it must blank or specified.

Add explicit requirement:

If the SecurityMode is None then the UserTokenPolicy should (shall?) have a SecurityPolicy specified.

If the SecurityMode is SignOnly then the UserTokenPolicy should (shall?) not specify the None SecurityPolicy

If the SecurityMode is SignAndEncrypt then the UserTokenPolicy SecurityPolicy may be None

Additional Information

Fix test cases for this.

TagsNo tags attached.
Files Affected

Relationships

related to 0004491 closedMatthias Damm 10000-004: Services Table 187 – EncryptionAlgorithm selection 

Activities

Matthias Damm

2020-12-07 18:50

reporter   ~0013384

The intention of 'Table 190 – EncryptionAlgorithm selection' is to define what is filled in to UserNameIdentityToken.encryptionAlgorithm.

It is not the right place to define additional security requirements.
If this is needed, we need a better place.

Matthias Damm

2020-12-07 18:50

reporter   ~0013385

Add note for the cases UserIdentityToken EncryptionAlgorithm = No encryption to make it explicit that this is either an invalid configuration or something that should not be allowed. See related text in Part 4.

Matthias Damm

2020-12-07 18:50

reporter   ~0013386

Added to 7.39.4 UserNameIdentityToken:
The Server shall specify a SecurityPolicy for the UserTokenPolicy if the SecureChannel has a SecurityPolicy other than None and the MessageSecurityMode is not SIGNANDENCRYPT.

Added to Table 190 – EncryptionAlgorithm selection:
(a) The use of this configuration without network encryption would result in a serious security fault.
(b) The configuration is invalid if the MessageSecurityMode is not SIGNANDENCRYPT.

Added in OPC 10000-4 - UA Specification Part 4 - Services Draft 1.05.09.docx

Jim Luth

2020-12-07 18:51

administrator   ~0013387

fix test cases for this.

Paul Hunkar

2021-01-08 15:37

administrator   ~0013508

This configuration shall be flagged as an error since running in a VPN is not the designed test mode for the CTT, a vendor can argue if their product can only run in a VPN

Issue History

Date Modified Username Field Change
2020-12-07 18:50 Jim Luth New Issue
2020-12-07 18:50 Jim Luth Status new => assigned
2020-12-07 18:50 Jim Luth Assigned To => Matthias Damm
2020-12-07 18:50 Jim Luth Issue generated from: 0004491
2020-12-07 18:50 Jim Luth Note Added: 0013384
2020-12-07 18:50 Jim Luth Note Added: 0013385
2020-12-07 18:50 Jim Luth Note Added: 0013386
2020-12-07 18:50 Jim Luth Relationship added related to 0004491
2020-12-07 18:51 Jim Luth Project 10000-004: Services => Compliance Test Tool (CTT) Unified Architecture
2020-12-07 18:51 Jim Luth Category Spec => Api Change
2020-12-07 18:51 Jim Luth Assigned To Matthias Damm =>
2020-12-07 18:51 Jim Luth Assigned To => Jim Luth
2020-12-07 18:51 Jim Luth Status assigned => new
2020-12-07 18:51 Jim Luth Note Added: 0013387
2021-01-08 15:37 Paul Hunkar Note Added: 0013508
2021-01-08 15:38 Paul Hunkar Assigned To Jim Luth => Alexander Allmendinger
2021-01-08 15:38 Paul Hunkar Status new => assigned
2021-05-16 13:10 Alexander Allmendinger Category Api Change => 1 - Script Issue
2021-05-16 13:10 Alexander Allmendinger Target Version => 1.03.341.399
2022-08-02 20:04 Paul Hunkar Project Compliance Test Tool (CTT) Unified Architecture => CTT UA Scripts