View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0009919 | 10000-004: Services | Spec | public | 2024-10-16 13:45 | 2025-03-10 18:02 |
| Reporter | Randy Armstrong | Assigned To | Matthias Damm | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | resolved | Resolution | fixed | ||
| Summary | 0009919: Need to restrict the security policies allowed for user tokens. | ||||
| Description | https://reference.opcfoundation.org/Core/Part4/v105/docs/7.41.4 Need to restrict the security policies allowed for user tokens. If ED is SecurityMode None then UT many be any SecurityPolicy from other EDs supported by the Server that use the same Certificate as provided in the ED. If ED is not None + SignOnly, then the UT SecurityPolicy is not specified. If ED is not None +EncryptAndSign the UT SecurityPolicy is not specified. If ED is None and TLS for transport then UT SecurityPolicy may be None (this assumes TLS is always encrypted). | ||||
| Tags | No tags attached. | ||||
| Commit Version | 1.05.06 RC1 | ||||
| Fix Due Date | 2025-04-30 | ||||
|
|
I don't think it's important to limit the UserTokenPolicies. Instead, it would be important to define that 'UserNameIdentityToken.encryptionAlgorithm' must not be used and that the 'UserNameIdentityToken.policyId' should always be used instead to define the encryption algorithm. That way the server can decide which algorithms are valid and the clients cannot overcome that. |
|
|
Added the following clarification to 7.41.4 UserNameIdentityToken If the SecurityMode is not NONE, it is recommended to use the same SecurityPolicy for SecureChannel and user token. The SecurityPolicy used for the user token shall match the Certificate type of the EndpointDescription. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-10-16 13:45 | Randy Armstrong | New Issue | |
| 2024-10-16 15:31 | Randy Armstrong | Description Updated | |
| 2024-10-16 15:32 | Randy Armstrong | Description Updated | |
| 2024-10-17 15:33 | Jouni Aro | Note Added: 0021918 | |
| 2025-02-25 16:53 | Jim Luth | Assigned To | => Matthias Damm |
| 2025-02-25 16:53 | Jim Luth | Status | new => assigned |
| 2025-02-25 16:54 | Jim Luth | Commit Version | => 1.05.06 RC1 |
| 2025-02-25 16:54 | Jim Luth | Fix Due Date | => 2025-04-30 |
| 2025-03-10 18:02 | Matthias Damm | Status | assigned => resolved |
| 2025-03-10 18:02 | Matthias Damm | Resolution | open => fixed |
| 2025-03-10 18:02 | Matthias Damm | Note Added: 0022496 |
