0007034: Client support for unencrypted passwords is implied as mandatory by CU description - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0007034	10000-007: Profiles	Spec	public	2021-06-17 10:00	2021-11-02 16:17

Reporter	Alexander Allmendinger	Assigned To	Alexander Allmendinger
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed

Summary	0007034: Client support for unencrypted passwords is implied as mandatory by CU description
Description	In the CU "Security User Name Password Client" the current description (see additional notes) implies that the encryption of the password is something which depends on the security policy in the User Token Policy and by this wording also implies that a client needs to support either case. This would result in the requirement for products to support sending an unencrypted password over the wire. Though this is relevant for interoperability we have met the first vendors whose security department are not allowing such insecure behavior. As a result such products would currently not be considered compliant. Proposal: Split the CUs in 2 CUs were one describes the encrypted mechanism and the other one describes the unencrypted. Probably this results in having another "One of the CUs in this facet needs to be supported" CU as probably either case is valid.
Additional Information	Current description: A Client uses a User Name/Password combination. The token will be encrypted if required by the security policy of the User Token Policy or by the security policy of the endpoint. An unencrypted token either requires message encryption or means outside the scope of OPC UA to secure the identity token so that it cannot be retrieved by sniffing the communication. One option would be a secure transport like a VPN.
Tags	No tags attached.

Commit Version
Fix Due Date

Jim Luth 2021-06-22 16:16 administrator ~0014589	Agreed to split the CU into 2 to facilitate new Profiles (for 1.05). Backporting to 1.04 & 1.03 would require many new top level Profiles and potentially cause confusion with end-users.

Karl Deiretsbacher 2021-09-22 15:59 developer ~0014924	Split the CU into 2 as described in the previous note. This change is in the 1.05 database. The profiles are "User Token - User Name Password 2021 Client Facet" and "User Token - JWT 2021 Client Facet".

Jim Luth 2021-11-02 16:17 administrator ~0015247	Agreed to changes in profile database.

Date Modified	Username	Field	Change
2021-06-17 10:00	Alexander Allmendinger	New Issue
2021-06-22 16:16	Jim Luth	Note Added: 0014589
2021-06-22 16:16	Jim Luth	Assigned To	=> Alexander Allmendinger
2021-06-22 16:16	Jim Luth	Status	new => assigned
2021-09-22 15:59	Karl Deiretsbacher	Status	assigned => resolved
2021-09-22 15:59	Karl Deiretsbacher	Resolution	open => fixed
2021-09-22 15:59	Karl Deiretsbacher	Note Added: 0014924
2021-11-02 16:17	Jim Luth	Status	resolved => closed
2021-11-02 16:17	Jim Luth	Note Added: 0015247