-
Notifications
You must be signed in to change notification settings - Fork 0
/
draft-hallambaker-omnibroker-02.xml
2291 lines (2073 loc) · 71.3 KB
/
draft-hallambaker-omnibroker-02.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd"[
<!ENTITY rfc2629 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2629.xml'>
<!ENTITY RFC1035 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml">
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC2629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2629.xml">
<!ENTITY RFC5280 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5280.xml">
<!ENTITY RFC3552 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3552.xml">
<!ENTITY RFC3642 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3642.xml">
<!ENTITY RFC4033 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4033.xml">
<!ENTITY RFC4055 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4055.xml">
<!ENTITY RFC4648 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4648.xml">
<!ENTITY RFC5395 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5395.xml">
<!ENTITY RFC4366 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4366.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="yes" ?>
<?rfc toc="yes"?>
<?rfc tocdepth="4"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<rfc category="std" docName="draft-hallambaker-omnibroker-02" ipr="trust200902">
<front>
<title abbrev="OmniBroker Protocol">OmniBroker Protocol</title>
<author fullname="Phillip Hallam-Baker" initials="P. M." surname="Hallam-Baker">
<organization>Comodo Group Inc.</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<date day="30" month="July" year="2012" />
<area>General</area>
<workgroup>Internet Engineering Task Force</workgroup>
<abstract>
<t>
An Omnibroker is an agent chosen and trusted by an Internet user to
provide information such as name and certificate status information
that are in general trusted even if they are not trustworthy.
Rather than acting as a mere conduit for information provided by
existing services, an Omnibroker is responsible for curating those
sources to protect the user.
</t>
<t>
The Omnibroker Protocol (OBP) provides an aggregated interface to
trusted Internet services including DNS, OCSP and various forms
of authentication service. Multiple transport bindings are
supported to permit efficient access in virtually every common
deployment scenario and ensure access in any deployment
scenario in which access is not being purposely denied.
</t>
</abstract>
</front>
<middle>
<section title="Definitions">
<section title="Requirements Language">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119">RFC 2119</xref>.
</t>
</section>
</section>
<section title="Purpose">
<t>
An Omnibroker is an agent chosen and trusted by an Internet user to
provide information such as name and certificate status information
that are in general trusted even if they are not trustworthy.
Rather than acting as a mere conduit for information provided by
existing services, an Omnibroker is responsible for curating those
sources and providing autheticated, curated results to the endpoint
client.
</t>
<t>
Unlike the traditional trusted information services that are expected
to deliver the same response to a query regardless of who asks the
question, OBP permits an Omnibroker to return a response that is
tailored to the specific party asking the question. This permits the
use of an authentication approach that has negligible impact
on performance and permits an
Omnibroker to answer questions that a traditional public Internet
information service could not. In particular, an Omnibroker
can broker peer to peer connections
</t>
<section title="A Curated Service">
<t>
In the traditional configuration, an Internet host accepts DNS service
from the IP address specified by the local network provider, frequently
the DNS server advertised by the local DHCP service. This approach
creates an obvious security risk as DNS is clearly a trusted service
and a random DNS service advertised by the local DNS is clearly not
trustworthy.
</t>
<t>
A policy of only using a chosen DNS service provides a reduction in
risk but only a modest one since the standard DNS service does not
provide authenticated results. Many local area networks intercept all
DNS traffic and process it through the local DNS server regardless
of the intended destination IP address. This practice is highly
desirable if it would prevent a client from accessing an untrustworthy
DNS service in place of a trustworthy local DNS service and
extreemly undesirable in the contrary case.
</t>
<t>
In addition to ensuring the authenticity of DNS resolution responses,
such services frequently provide filtering of Internet addresses
the network provider considers undesirable. Many workplaces block access
to Web sites that are considered detrimental to productivity.
Many parent subscribe to services that filter content they consider
undesirable. While the value of such services is debatable they
are services that those customers have chosen to deploy on their
networks to meet their perceived security requirements. New security
proposals that do not support such capabilities or seek to
actually circumvent them will not be acceptable to those
constituencies.
</t>
<t>
While DNS filtering is a form of censorship, not all forms of
DNS filering are intrinsically undesirable censorship. Spam filtering
is also a form of censorship albeit one that is not normally
regarded as such because it most Internet users now consider it to
be an essential security control. Anti-Virus tools are also a form
of censorship. DNS filtering tools that block access to sites that
distribute malware are also a form of censorship and are rapidly
gaining popularity for the same reason.
</t>
<t>
While all forms of censorship raise civil liberties concerns,
censorship should not automatically raise civil liberties objections.
It is not the fact that filtering is taking place but
the party that is in control of the filtering that should
raise civil liberties concerns. In an Internet of
2 billion users, all users are obliged to perform some filtering.
OBP is designed to make the party that is in control of the
filtering process apparent and provide the end user with the
ability to select the Omnibroker of their choice.
</t>
<t>
DNSSEC provides a means of determining that a DNS record is the
authentic record published by the source but this capability alone
does not meet the security requirements for DNS resolution services
as they have come to be understood since the protocol was first proposed.
</t>
<t>
Internet users want to be safe from all forms of attack, not just
the DNS resolver mani-in-the-middle attack that 'end-to-end'
deployment of DNSSEC is designed to address. An Internet user is
far more likely to be directed to a site with a DNS name controlled
by a criminal gang than be subject to a man-in-the-middle attack.
</t>
<t>
Most users would prefer to have an Internet connection that is
'curated' to remove at least some of the locations they consider
to be undesirable. The fact that an organised criminal gang has put
a host on the Internet does not mean that any other Internet user
should be obliged to allow it to connect to any of the machines that
they own.
</t>
<t>
The same argument for curating the raw results applies to
other forms of trusted information service. The fact that a
Certificate Authority has issued a digital certificate and
considers it to be valid should not mean that the end party
is automatically considered trustworthy by anyone and for
any purpose.
</t>
<t>
The deployment of security policy capabilities presents another
case in which direct reliance on raw data is undesirable. While
security policies such as 'host always offers TLS' or 'mail
server always signs outgoing mail with DKIM' can provide
considerable security advantages, only some of the security
policy information that is published is accurate and kept
up to date. Curating such data sources typically proves
essential if an unacceptable rate of false positives is
to be avoided.
</t>
<t>
Although a client is permitted to curate its own data sources
it rarely has a sufficient amount of data to make decisions
as accurately as a network service that can draw on a wide
variety of additional data including tracking of communication
patterns, historical data series and third party reputation
services.
</t>
<t>
Curation in the network offers better asgility than the client
approach. Agility is an important consideration when an attacker
changes their strategy rapidly and repeatedly to counter
new defensive controls.
</t>
<t>
While curating trusted data sources is an established and
proven practice, current practice has been to curate each
source individually. This approach avoids the need to write
a new protocol but limits the information a curator can
leverage to detect potential danger. Leveraging multiple
data sources simultaneously allows better accuracy than
applying each individually.
</t>
</section>
<section title="Connection Broker">
<t>
The OBP service connection broker answers the query 'what connection
parameters should be used to establish the best connection
to interract with party X according to protocol Y. Where 'best'
is determined by the Omnibroker which MAY take into account
parameters specified by the relying party.
</t>
<section title="Service Connection Broker">
<t>
The OBP service connection broker supports and extends the traditional
DNS resolution service that resolves a DNS name (e.g. www.example.com) to
return an IP address (e.g. 10.1.2.3).
</t>
<t>
When using an Omnibroker as a service connection broker, a client
specifies both the DNS name (e.g. www.example.com) and the
Internet protocol to be used (e.g. _http._tcp). The returned
connection parameters MAY include:
</t>
<t>
<list>
<t>
The IP protocol version, address and port number to
establish a connection to.
</t>
<t>
If appropriate, a security transport such as TLS or IPSEC.
</t>
<t>
If appropriate, a description of a service credential such
as a TLS certificate or a constraint on the type of certificates
that the client should consider acceptable.
</t>
<t>
If appropriate, application protocol details such as
version and protocol options.
</t>
</list>
</t>
<t>
If an attempt to connect with the parameters specified fails, a
client MAY report the failure and request a new set of parameters.
</t>
</section>
<section title="Peer Connection Broker">
<t>
Each OBP request identifies both the account under which the
request is made and the device from which it is made. An OBP broker
is thus capable of acting as a peer connection broker service
or providing a gateway to such a service.
</t>
<t>
When using Omnibroker as a peer connection broker, a client
specifies the account name and DNS name of the party with which
a connection is to be established (e.g. [email protected])
and the connection protocol to be used (e.g. _xmpp-client._tcp)
</t>
<t>
The returned
connection parameters are similar to those returned in response to a
service broker query.
</t>
</section>
<section title="Connection Broker API">
<t>
In the traditional BSD sockets API a network client performs
a series of calls to resolve a network name to a list of IP
addresses, selects one and establishes an IP connection to
a port specified by the chosen application protocol.
</t>
<t>
OBP anticipates a higher level abstract API that encapsulates
this complexity, hiding it from the application code.
</t>
<t>
In the case that one (or more) OBP services are configured,
the library supporting the SHOULD obtain connection parameters
from the OBP service. Otherwise, it SHOULD establish a connection
using the traditional calling sequence of resolving a host
name to obtain an IP address, etc.
</t>
</section>
</section>
<section title="Service Advertisement">
<t>
Service advertisement is the converse of service resolution. An
Internet application wishing to accept inbound connections specifies
one or more sets of connection parameters for the Omnibroker to
register with whatever naming, discovery or other services may
be appropriate.
</t>
<t>
</t>
<section title="Connection Advertisement API">
<t>
OBP anticipates the use of a high level API for connection advertisement
that is the converse of the Connection broker API. Instead
of establishing a connection, the API is used to advertise
that a connection is offered either as a service or a peer.
</t>
<t>
An application MAY offer multiple types of connection with
different connection properties (e.g. IPv4/IPv6, with and
without SSL, etc.). This MAY be supported by marking certain
properties as being optional and/or by permitting the
API to be called multiple times with different properties
specified.
</t>
</section>
</section>
<section title="Credential Validation Broker">
<t>
A credential validation broker reports on the validity and
trustworthiness of credentials presented to a client by Internet
services and/or peers.
</t>
<t>
The service provided by OBP is similar to that provided by
OCSP and SCVP. Like SCVP, OBP is an agent selected by the
relying party to validate certificates and/or construct
trust paths on its behalf.
</t>
</section>
<section title="Authentication Gateway">
<t>
Every OBP request is strongly authenticated by means of a shared
secret that is unique to the account and the device. This may be
leveraged to permit use as an authentication gateway, providing
access to other credentials that the client has established the
right to use.
</t>
<t>
An Authentication Gateway MAY provide access to account names and
passwords that the account holder has chosen to store in the cloud for
access to sites that do not support a stronger,
cryptographically based form of
authentication such as OAuth.
</t>
</section>
<section title="Credential Announcement">
<t>
An Authentication Gateway can only provide access to credentials
that it has notice of. A client uses the Credential Announcement
transaction to advise the service of a new credential.
</t>
</section>
</section>
<section title="Omnibroker Connection Maintenance Service">
<section title="Authentication">
<t>
The principle function of the OBP Connection Maintenance Protocol
is to establish and maintain the cryptographic parameters
used to authenticate and encrypt
</t>
<t>
The user needs to authenticate the broker service regardless
of any authentication requirements of the broker.
</t>
<section title="Broker Authentication">
<t>
The OBP connection maintenance protocol transport MUST provide
a trustworthy means of verifying the identity of the broker
(e.g. an Extended Validation SSL certificate).
</t>
<t>
If the device supports a display capability, authentication of the
device and user MAY be achieved by means of an authentication
image. Such an authentication image is generated by the broker and
passed to the client in the OpenResponse message. The user then
verifies that the image presented on the device display is the same
as that presented on the account maintenance console.
</t>
</section>
<section title="Device Authentication">
<t>
If device authentication is required, the mechanism to be used depends on
the capabilities of the device, the requirements of the broker and
the existing relationship between the user and the broker.
</t>
<t>
If the device supports some means of data entry, authentication
MAY be achieved by entering a passcode into the device that was
previously delivered to the user out of band.
</t>
<t>
The passcode authentication mechanism allows the device to establish
a proof that it knows the passcode without disclosing the passcode.
This property provides protection against Man-In-The-Middle type
disclosure attacks.
</t>
</section>
<!-- Begin section of automatically generated text
Line wrap = 66
-->
<section title="Illustrative example" anchor="ConnectionRequestExample">
<t>
Alice is an employee of Example Inc. which runs its own
local omnibroker service 'example.com'.
To configure her machine for use
with this service, Alice contacts her network
administrator who assigns her the account identifier
'alice' and obtains a PIN number from the service
'Q80370-1RA606-F04B'
</t>
<t>
Alice enters the values '[email protected]' and
'Q80370-1RA606-F04B' into her Omnibroker-enabled
Web browser.
</t>
<t>
The Web browser uses the local DNS to resolve
'example.com'
and establishes a HTTPS connection to the specified IP
address.
The client verifies that the certificate presented has
a valid
certificate chain to an embedded trust anchor under an
appropriate certificate policy (e.g. compliant with
Extended Validation
Criteria defined by CA-Browser Forum).
</t>
<t>
Having established an authenticated and encrypted TLS
session to the Omnibroker service, the client sends
an OpenRequest message to begin the process of mutual
authentication. This message specifies the
cryptographic
parameters supported by the client (Authentication,
Encryption)
and a nonce value (Challenge), device identification
parameters (DeviceID, DeviceURI, DeviceName) and the
name of the account being requested.
</t>
<t>
The client does not specify the PIN code in the
request,
nor is the request authenticated. Instead the client
informs
the server that it has a PIN code that can be supplied
if
necessary.
</t>
<figure>
<artwork>
<![CDATA[Post / HTTP/1.1
Host: example.com
Cache-Control: no-store
Content-Type: Application/json;charset=UTF-8
Content-Length: 470
{
"OpenRequest": {
"Encryption": ["HS256",
"HS384",
"HS512",
"HS256T128"],
"Authentication": ["A128CBC",
"A256CBC",
"A128GCM",
"A256GCM"],
"Account": "alice",
"Domain": "example.com",
"HavePasscode": true,
"HaveDisplay": true,
"Challenge": "d2gdVeQesS3UTOgtK4JSEg==",
"DeviceID": "Serial:0002212",
"DeviceURI": "http://comodo.com/dragon/v3.4",
"DeviceName": "Comodo Dragon"}}]]>
</artwork>
</figure>
<t>
The service receives the request. If the request is
consistent
with the access control policy for the server it
returns a
reply that specifies the chosen cryptographic
parameters
(Cryptographic), responds to the client issued by the
client to establish server proof of knowsledge of the
PIN
(ChallengeResponse) and issues a challenge to the
client
(Challenge).
</t>
<t>
The cryptographic parameters specify algorithms to be
used
for encryption and authentication, a shared secret and
a
ticket value. Note that while the shared secret is
exchanged
in plaintext form in the HTTP binding, the connection
protocol MUST provide encryption.
</t>
<figure>
<artwork>
<![CDATA[HTTP/1.1 203 Passcode
Content-Type: application/json;charset=UTF-8
Content-Length: 500
{
"OpenResponse": {
"Status": 203,
"StatusDescription": "Passcode",
"Cryptographic": [{
"Secret": "11bmdFi9Et7KIUg8aeN2AQ==",
"Encryption": "A128CBC",
"Authentication": "HS256",
"Ticket":
"TUMnorO0SjHHS7D2uFcGlRYJ0Hd3eibwe0ogptoNMQuCYmCHfHAJcJlyvi
j8WoXDglTSOkctnmoBzl8W0NLSlcgSyZcmsAyoWs8y1Rn2ZlO2WBgoWrFIO
qPa4oB29dgs/ei6ieINZtmvXNCm2NUkWA=="}],
"Challenge": "alX8aAWH6acSqO3FTT94HA==",
"ChallengeResponse": "enT5myMw8w2hV4H32Ntx/g=="}}]]>
</artwork>
</figure>
<t>
To complete the transaction, the client sends a
TicketRequest message
to the serice containing a response to the PIN
challenge sent by the
service (ChallengeResponse).
The TicketRequest message is authenticated under the
shared secret specified
in the OpenResponse message.
</t>
<figure>
<artwork>
<![CDATA[Post / HTTP/1.1
Host: example.com
Cache-Control: no-store
Content-Type: Application/json;charset=UTF-8
Content-Length: 78
Content-Integrity:
mac=cjkMkfnnYP8JYWZAbRLvtpqImmOK3rsrOT1XcvAgHDk=;
ticket=TUMnorO0SjHHS7D2uFcGlRYJ0Hd3eibwe0ogptoNMQuCYmCHfHAJcJlyvi
j8WoXDglTSOkctnmoBzl8W0NLSlcgSyZcmsAyoWs8y1Rn2ZlO2WBgoWrFIOqPa4
oB29dgs/ei6ieINZtmvXNCm2NUkWA==
{
"TicketRequest": {
"ChallengeResponse": "TctLOG74cwpm26YNpEibcQ=="}}]]>
</artwork>
</figure>
<t>
If the response to the PIN challenge is correct, the service
responds
with a message that specifies a set of cryptographic parameters
to be
used to authenticate future interactions with the service
(Cryptographic)
and a set of connection parameters for servers supporting the
Query Service (Service).
</t>
<t>
In this case the server returns three connections, each
offering a
different transport protocol option. Each connection specifies
its
own set of cryptographic parameters (or will when the code is
written
for that).
</t>
<figure>
<artwork>
<![CDATA[HTTP/1.1 200 Complete
Content-Type: application/json;charset=UTF-8
Content-Length: 1907
Content-Integrity:
mac=nKhjR1r2eYPga0rmDfHT4HOvgQ+EuUoQPwzIl0btljs=;
ticket=TUMnorO0SjHHS7D2uFcGlRYJ0Hd3eibwe0ogptoNMQuCYmCHfHAJcJlyvi
j8WoXDglTSOkctnmoBzl8W0NLSlcgSyZcmsAyoWs8y1Rn2ZlO2WBgoWrFIOqPa4
oB29dgs/ei6ieINZtmvXNCm2NUkWA==
{
"TicketResponse": {
"Status": 200,
"StatusDescription": "Complete",
"Cryptographic": [{
"Protocol": "OBPConnection",
"Secret": "HQuQg4GkzTwTVoGxar0EXg==",
"Encryption": "A128CBC",
"Authentication": "HS256",
"Ticket":
"0ulMVMMfY/pLHZ0FlIy2zDnNycYz9Znvs3JJYQGlZ+dWaxMNxm/jLEsJd/
0qsAc5qp8fjBoMN49V9DkDgM4UYJxVriqfr64RyTTgug2taHY="}],
"Service": [{
"Name": "obp1.example.com",
"Port": 443,
"Address": "10.1.2.3",
"Priority": 1,
"Weight": 100,
"Transport": "WebService",
"Cryptographic": {
"Protocol": "OBPQuery",
"Secret": "kezeXxhkzXgxY7vpkHUb1g==",
"Encryption": "A128CBC",
"Authentication": "HS256",
"Ticket":
"jpBXvI7/0WTmwI2NN4n7Vvw96nbS9LpSsSNMIkdapiUoLikSkjpgMrtb
VKz5lHOPloCgAyZXxfZpQRsp4oPY4BcRaMw6F5na62IHnBVDeXg="}},
{
"Name": "dns1.example.com",
"Port": 53,
"Address": "10.1.2.2",
"Priority": 1,
"Weight": 100,
"Transport": "DNS",
"Cryptographic": {
"Protocol": "OBPQuery",
"Secret": "Wk3m7DlL/GStBBm3xUjyzg==",
"Encryption": "A128CBC",
"Authentication": "HS256",
"Ticket":
"Q9r4hXefHhLvgpKHVg3w2p7VptVH9qidGiIa4Nw3Zp5hZR816h9+PRj5
sye1jmIhy4sYA/jfK/g4OrSngK9xWO7Qg3/iQ+YTAchKQjdJtN4="}},
{
"Name": "udp.example.com",
"Port": 5000,
"Address": "10.1.2.2",
"Priority": 1,
"Weight": 100,
"Transport": "UDP",
"Cryptographic": {
"Protocol": "OBPQuery",
"Secret": "wBiguG9FGj08nS/c/njp4Q==",
"Encryption": "A128CBC",
"Authentication": "HS256",
"Ticket":
"F8LPKTL+XaAX0eJsM22fdJ37BRS816dKXD66UbD8NAVKOgOu556uS8WW
AMj+dJbJaErUzo/vw7tY0icCu1bw8qHmOO4gzhbSbD4Nga2EAU4="}}]}
}]]>
</artwork>
</figure>
<t>
When Alice's machine is to be transfered to another
employee, the
Unbind transaction is used. The only parameter
is the
Ticket identifying the device association (Ticket).
</t>
<figure>
<artwork>
<![CDATA[Post / HTTP/1.1
Host: example.com
Cache-Control: no-store
Content-Type: Application/json;charset=UTF-8
Content-Length: 25
Content-Integrity:
mac=bZU61eCOW4nVnfdJNS719HL4IsNVxtoTgoRt+mqLbWY=;
ticket=0ulMVMMfY/pLHZ0FlIy2zDnNycYz9Znvs3JJYQGlZ+dWaxMNxm/jLEsJd/
0qsAc5qp8fjBoMN49V9DkDgM4UYJxVriqfr64RyTTgug2taHY=
{
"UnbindRequest": {}}]]>
</artwork>
</figure>
<t>
Since the unbind response represents the termination
the
relationship with the Omnibroker, the response merely
reports
the success or failure of the request.
</t>
<figure>
<artwork>
<![CDATA[HTTP/1.1 0
Content-Type: application/json;charset=UTF-8
Content-Length: 26
Content-Integrity:
mac=9P1FmroeFU7y9qHgXdSFXH2qSImh0cQpaSgZrx5IswM=;
ticket=0ulMVMMfY/pLHZ0FlIy2zDnNycYz9Znvs3JJYQGlZ+dWaxMNxm/jLEsJd/
0qsAc5qp8fjBoMN49V9DkDgM4UYJxVriqfr64RyTTgug2taHY=
{
"UnbindResponse": {}}]]>
</artwork>
</figure>
<t>
The 'Ticket' value presented in the foregoing examples
is
a sequence of binary data generated by the service
is
opaque to the client. Services MAY generate ticket
values
with a substructure that enable the service to avoid
the need to maintain server side state.
</t>
<t>
In the foregoing example, the ticket structures generated
by the service encode the cryptographic parameter data,
the shared secret, account identifier and an
authentication
value. The initial ticket value generated additionally
encodes
the values of the client and service challeng values for
use
in calculating the necessary ChallengeResponse.
</t>
</section>
<!-- End section of automatically generated text -->
</section>
<section title="OBPConnection">
<section title="Message: Message">
<!-- No parameters -->
</section>
<section title="Message: Response">
<t> <list style="hanging" hangIndent="6">
<t hangText="Status : Integer [0..1] " />
<t>
Application layer server status code
</t>
<t hangText="StatusDescription : String [0..1] " />
<t>
Describes the status code (ignored by processors)
</t>
</list></t>
</section>
<section title="Message: ErrorResponse">
<t>
An error response MAY be returned in response to any request.
</t>
<t>
Note that requests MAY be rejected by the code implementing
the transport binding before application processing begins
and so a server is not guaranteed to provide an error response
message.
</t>
<!-- No parameters -->
</section>
<section title="Message: Request">
<t> <list style="hanging" hangIndent="6">
<t hangText="Ticket : Binary [1..1] " />
<t>
Opaque ticket issued by the server that identifies
the cryptographic parameters for encryption and
authentication of the message payload.
</t>
</list></t>
</section>
<section title="Structure: Cryptographic">
<t>
Parameters describing a cryptographic context.
</t>
<t> <list style="hanging" hangIndent="6">
<t hangText="Protocol : Label [0..1] " />
<t>
OBP tickets MAY be restricted to use with either the management
protocol (Management) or the query protocol (Query). If so a
service would typically
specify a ticket with a long expiry time or no expiry for use with
the management protocol and a separate ticket for use with the
query protocol.
</t>
<t hangText="Secret : Binary [1..1] " />
<t>
Shared secret
</t>
<t hangText="Encryption : Label [1..1] " />
<t>
Encryption Algorithm selected
</t>
<t hangText="Authentication : Label [1..1] " />
<t>
Authentication Algorithm selected
</t>
<t hangText="Ticket : Binary [1..1] " />
<t>
Opaque ticket issued by the server that identifies
the cryptographic parameters for encryption and
authentication of the message payload.
</t>
<t hangText="Expires : DateTime [0..1] " />
<t>
Date and time at which the context will expire
</t>
</list></t>
</section>
<section title="Structure: ImageLink">
<t> <list style="hanging" hangIndent="6">
<t hangText="Algorithm : Label [0..1] " />
<t>
Image encoding algorithm (e.g. JPG, PNG)
</t>
<t hangText="Image : Binary [0..1] " />
<t>
Image data as specified by algorithm
</t>
</list></t>
</section>
<section title="Structure: Connection">
<t>
Contains information describing a network connection.
</t>
<t> <list style="hanging" hangIndent="6">
<t hangText="Name : Name [0..1] " />
<t>
DNS Name. Since one of the functions of an OBP service is name
resolution, a DNS name is only used to establish a connection if
connection by means of the IP address fails.
</t>
<t hangText="Port : Integer [0..1] " />
<t>
TCP or UDP port number.
</t>
<t hangText="Address : String [0..1] " />
<t>
IPv4 (32 bit) or IPv6 (128 bit) service address
</t>
<t hangText="Priority : Integer [0..1] " />
<t>
Service priority. Services with lower priority numbers SHOULD
be attempted before those with higher numbers.
</t>
<t hangText="Weight : Integer [0..1] " />
<t>
Weight to be used to select between services of equal priority.
</t>
<t hangText="Transport : Label [0..1] " />
<t>
OBP Transport binding to be used valid values are HTTP, DNS and UDP.
</t>
<t hangText="Expires : DateTime [0..1] " />
<t>
Date and time at which the specified connection context will expire.
</t>
</list></t>
</section>
<section title="Bind">
<t>
Binding a device is a two step protocol that begins with the
Start Query followed by a sequence of Ticket queries.
</t>
</section>
<section title="Message: BindRequest">
<t>
The following parameters MAY occur in either a
StartRequest or TicketRequest:
</t>
<t> <list style="hanging" hangIndent="6">
<t hangText="Encryption : Label [0..Many] " />
<t>
Encryption Algorithm that the client accepts. A Client MAY
offer multiple algorithms. If no algorithms are specified then
support for the mandatory to implement algorithm is assumed.
Otherwise mandatory to implement algorithms MUST be
specified explicitly.
</t>
<t hangText="Authentication : Label [0..Many] " />
<t>
Authentication Algorithm that the client accepts.
If no algorithms are specified then
support for the mandatory to implement algorithm is assumed.
Otherwise mandatory to implement algorithms MUST be
specified explicitly.
</t>
</list></t>
</section>
<section title="Message: BindResponse">
<t>
The following parameters MAY occur in either a
StartResponse or TicketResponse:
</t>
<t> <list style="hanging" hangIndent="6">
<t hangText="Cryptographic : Cryptographic [0..Many] " />
<t>
Cryptographic Parameters.
</t>
<t hangText="Service : Connection [0..Many] " />
<t>
A Connection describing an OBP service point
</t>
</list></t>
</section>
<section title="Message: OpenRequest">
<t>
The OpenRequest Message is used to begin a device binding transaction.
Depending on the authentication requirements of the service the
transaction may be completed in a single query or require a
further Ticket Query to complete.
</t>
<t>
If authentication is required, the mechanism to be used depends on
the capabilities of the device, the requirements of the broker and
the existing relationship between the user and the broker.
</t>
<t>
If the device supports some means of data entry, authentication
MAY be achieved by entering a passcode previously delivered out
of band into the device.
</t>
<t>
The OpenRequest specifies the properties of the service
(Account, Domain) and Device (ID, URI, Name) that will remain
constant throughout the period that the device binding is active
and parameters to be used for the mutual authentication protocol.
</t>
<t> <list style="hanging" hangIndent="6">
<t hangText="Account : String [0..1] " />
<t>
Account name of the user at the OBP service
</t>
<t hangText="Domain : Name [0..1] " />
<t>
Domain name of the OBP broker service
</t>
<t hangText="HavePasscode : Boolean [0..1] Default =False " />
<t>
If 'true', the user has entered a passcode value for
use with passcode authentication.
</t>
<t hangText="HaveDisplay : Boolean [0..1] Default =False " />
<t>
Specifies if the device is capable of displaying information
to the user or not.
</t>
<t hangText="Challenge : Binary [0..1] " />
<t>
Client challenge value to be used in authentication challenge
</t>
<t hangText="DeviceID : URI [0..1] " />