View Issue Details

IDProjectCategoryView StatusLast Update
000930110000-018: Role-Based SecuritySpecpublic2024-06-12 12:54
ReporterJim Luth Assigned ToMatthias Damm  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.05.02 RC1 
Fixed in Version1.05.04 RC1 
Summary0009301: 4.8.2 Well Known Roles - Clarify what 'valid non-anonymous credentials' are.
Description

Spec needs to clarify what 'valid non-anonymous credentials' are.

If 'valid non-anonymous credentials' include a trusted client certificate then a client using the anonymous user credential would have access to the AuthenticatedUser Role.

If they don't then a client granted SecurityAdmin role via its certificate would not have access to the AuthenticatedUser Role unless it also provides a non-anonymous user token.

Neither scenario is intuitive and would likely lead to IOP issues.

TagsNo tags attached.
Commit Version1.05.04 RC
Fix Due Date2024-01-15

Relationships

related to 0008194 closedJeff Harding 10000-003: Address Space 4.8.2 Well Known Roles - Clarify what 'valid non-anonymous credentials' are. 
related to 0009302 closedJeff Harding 10000-003: Address Space 4.8.2 Well Known Roles - Clarify what 'valid non-anonymous credentials' are. 

Activities

Jim Luth

2023-12-04 19:12

administrator   ~0020471

Proposal clarify that anonymous has no credential and is never authenticated and refer to "AuthenticatedUser Role" as the "Authenticated Role" and make it clear it is not always a User.

Jeff Harding

2023-12-04 19:12

developer   ~0020472

need to remove the term 'anonymous user' and use 'anonymous role'.

Randy Armstrong

2023-12-04 19:12

administrator   ~0020473

Updated to 4.9.1 to clarify that anonymous means no authentication at the user or application level.

Jim Luth

2023-12-04 19:14

administrator   ~0020474

Need to update special rules for Anonymous and AuthenticatedUser based on the new text in Part 3.

Matthias Damm

2023-12-04 19:39

developer   ~0020481

The special rules are related to the capability to change the identity mapping.
It makes no sense to allow changed to the identity mapping for Role Anonymous.
Need to discuss if changes to Role AuthenticatedUser makes sense.

Jim Luth

2024-05-14 15:46

administrator   ~0021200

Also need to describe the case where a well-known role is removed from the RoleSet Object.

Matthias Damm

2024-06-12 12:54

developer   ~0021314

4.3 RoleSet
Added TrustedApplication Role that is new in Part 3

Added clarifications:
The Anonymous Role is the default Role which is always assigned to all Sessions.
The default Identities for the TrustedApplication Role should be an identity with the criteriaType IdentityCriteriaType.TrustedApplication.
A Server shall not allow changes to the Roles Anonymous, AuthenticatedUser and TrustedApplication.
A Server shall not allow the deletion of the well-known Roles Anonymous and AuthenticatedUser TrustedApplication.

4.4.4 IdentityCriteriaType
Added
TrustedApplication
The rule specifies any trusted application that has been authenticated with a trusted ApplicationInstance Certificate (see OPC 10000-4).

4.4.3 IdentityMappingRuleType
Added
If the criteriaType is TrustedApplication, the criteria is a null or empty string which includes any Client application with a trusted ApplicationInstance Certificate. The Client Certificate shall be trusted by the Server and the Session shall use at least a signed communication channel.

Jim Luth

2024-06-12 12:54

administrator   ~0021315

Agreed to changes edited in Virtual F2F.

Issue History

Date Modified Username Field Change
2023-12-04 19:12 Jim Luth New Issue
2023-12-04 19:12 Jim Luth Status new => assigned
2023-12-04 19:12 Jim Luth Assigned To => Jeff Harding
2023-12-04 19:12 Jim Luth Issue generated from: 0008194
2023-12-04 19:12 Jim Luth Note Added: 0020471
2023-12-04 19:12 Jim Luth Note Added: 0020472
2023-12-04 19:12 Jim Luth Note Added: 0020473
2023-12-04 19:12 Jim Luth Relationship added related to 0008194
2023-12-04 19:13 Jim Luth Project 10000-003: Address Space => 10000-018: Role-Based Security
2023-12-04 19:13 Jim Luth Assigned To Jeff Harding => Matthias Damm
2023-12-04 19:14 Jim Luth Note Added: 0020474
2023-12-04 19:15 Jim Luth Commit Version => 1.05.04 RC
2023-12-04 19:15 Jim Luth Fix Due Date => 2024-01-15
2023-12-04 19:39 Matthias Damm Note Added: 0020481
2024-05-14 15:46 Jim Luth Note Added: 0021200
2024-05-14 15:49 Jim Luth Relationship added related to 0009302
2024-06-12 12:54 Matthias Damm Status assigned => resolved
2024-06-12 12:54 Matthias Damm Resolution open => fixed
2024-06-12 12:54 Matthias Damm Fixed in Version => 1.05.04 RC1
2024-06-12 12:54 Matthias Damm Note Added: 0021314
2024-06-12 12:54 Jim Luth Status resolved => closed
2024-06-12 12:54 Jim Luth Note Added: 0021315