0006771: Describe required settings and checks during creating a secure channel and session without security. - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0006771	10000-004: Services	Spec	public	2021-04-01 13:03	2021-04-06 16:58

Reporter	Thilo Bellinger	Assigned To	Matthias Damm
Priority	normal	Severity	minor	Reproducibility	always
Status	assigned	Resolution	open

Summary	0006771: Describe required settings and checks during creating a secure channel and session without security.
Description	"Chapter 6.1.4 Creating a SecureChannel" describes in detail how to establish a secure channel that is intended for security. This includes the checks for the posession of trusted certificates, that the settings in CreateSession are still the same as during the last GetEndpoints and so on. The description misses the case where a SecureChannel is established without security. I would assume that all validations should (or shall) be omitted when no message security and no user token security is used. The user who selects the insecure communication implicitly accepts that the communication can be corrupted, so there is no need for any security checks. Please add some sentences to this chapter to describe which settings and checks can, should or shall be ignored for insecure communication.
Additional Information	We had an interoperability problem with another server due to different interpreted requirements for a session without security. The server sent no certificate in the GetEndpointsResponse, but one during the CreateSessionResponse. Our client validated that the certificate shall be still the same and rejected the connection.
Tags	No tags attached.

Commit Version
Fix Due Date

Date Modified	Username	Field	Change
2021-04-01 13:03	Thilo Bellinger	New Issue
2021-04-06 16:58	Jim Luth	Assigned To	=> Matthias Damm
2021-04-06 16:58	Jim Luth	Status	new => assigned