Network Working Group J. Schaad
Internet-Draft Soaring Hawk Consulting
Intended status: Standards Track June 07, 2012
Expires: December 07, 2012

Email Policy Service Trust Processing
draft-schaad-plasma-service-02

Abstract

Write Me

Status of this Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on December 07, 2012.

Copyright Notice

Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

1.1. XML Nomenclature and Name Spaces

The following name spaces are used in this document:

Prefix Namespace Specification(s)
eps http://ietf.org/2011/plasma/ This Specification
wst http://docs.oasis-open.org/ws-sx/ws-trust/200512 [WS-TRUST]
wsu http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd [WS-Security]
wsse http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd [WS-Security]
wsse11 http://docs.oasis-open.org/wss/oasis-wss-wsecurity-secext-1.1.xsd [WS-Security]
xacml http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.html [XACML]
ds http://www.w3.org/2000/09/xmldsig# [XML-Signature]
xenc http://www.w3.org/2001/04/xmlenc# [XML-Encrypt]
wsp http://schemas.xmlsoap.org/ws/2004/09/policy [WS-Policy]
wsa http://www.w3.org/2005/08/addressing [WS-Addressing]
xs http://www.w3.org/2001/XMLSchema [XML-Schema1][XML-Schema2]

1.2. Requirements Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

When the words appear in lower case, their natural language meaning is used.

2. Components

In designing this specification we used a number of pre-existing specifications as building blocks. In some cases we use the entirety of the specification and in other case we use only select pieces.

2.1. XACML 3.0

The XACML specification (eXtensible Access Control Markup Language) [XACML] provides a framework for writing access control policies and for creating standardized access control queries and responses. The request and response portion of the specification is used to build the request (Section 5.2) and response (Section 6.1) messages in this specification. The structure for writing the access control policies is out of scope for this document, but XACML is one of the possibilities that can be used for that purpose.

2.2. SAML

A number of different methods for carrying both identification and attributes of the party requesting access is permitted in this specification. SAML is one of the methods that is permitted for that purpose.

SAML has defined three different types of assertions in it's core specification [OASIS-CORE]:

While a PDP can use an Authorization Decision as input, this is unexpected and MAY be supported. In addition there are three different ways that the subject of a SAML statement can be identified:

We cannot pass a SAML assertion with attributes as a single attribute in the XACML request as XACML wants each of the different attributes to be individually listed in the request. This greatly simplifies the XACML code, but means that one needs to do a mapping process from the SAML attributes to the XACML attributes. This process has been discussed in Section 2 of [SAML-XACML]. This mapping process MUST be done by a trusted agent, as there are a number of steps that need to be done including the validation of the signature on the SAML assertion. This process cannot be done by the PEP that is residing on the Plasma client's system as this is considered to be an untrusted entity by the Plasma system as a whole. One method for this to be addressed is to treat the Plasma server as both a PDP (for the Plasma client) and a PDP for the true XACML policy evaluator. In this model, the Plasma server becomes the trusted PEP party and has the ability to do the necessary signature validation and mapping processes. A new XACML request is then created and either re-submitted to itself for complete evaluation or to a third party which does the actual XACML processing.

2.3. WS-Trust 1.4

The WS-Trust 1.4 [WS-TRUST] standard provides for methods for issuing, renewing, and validating security tokens. This specification uses only a small portion of that standard, specifically the structure that returns a trust token from the issuer to the requester.

This specification makes no statements on the content and format of the token returned from the Plasma server to the Plasma client in the wst:RequestSecurityTokenResponse field. These tokens may be parseable by the client, but there is no requirement that the client be able to understand the token. The token can always be treated as an opaque blob by the client which is simply reflected back to the server at a later time. The attributes that client needs to understand in order to use the token, such as the life time, are returned as fields of the token response.

TODO: need to discuss the content model and say what elements need to be supported and what elements can be ignored -- safely.

3. Model

To be supplied from the problem statement document.


        (1)(3)     +----------+  
      +----------->|Sending   |<------------+
      |            |Agent     |             |
 (2)  v            +----------+             v
+----------+           ^               +---------+
|Email     |           |               |Mail     |
|Policy    |<----------+               |Transfer |
|Service   |                           |Agent    |
+----------+                           +---------+
 ()   ^            +----------+             ^
      |            |Receiving |             |
      +----------->|Agent     |<------------+
        ()()       +----------+ 

List the boxes above and give some info about them.

Email Policy Service
is the gateway controller for accessing a message. Although it is represented as a single box in the diagram, there is no reason for it to be in practice. Each of the three protocols could be talking to different instances of a common system. This would allow for a server to operated by Company A, but be placed in Company B's network thus reducing the traffic sent between the two networks.
Mail Transfer Agent
is the entity or set of entities that is used to move the message from the sender to the receiver. Although this document describes the process in terms of mail, any method can be used to transfer the message.
Receiving Agent
is the entity that consumes the message.
Sending Agent
is the entity that originates the message.

3.1. Sender Processing

We layout the general steps that need to be taken by the sender of an EPS message. The numbers in the steps below refer to the numbers in the upper half of Figure 1. A more detailed description of the processing is found in Section 7 for obtaining the security policies that can be applied to a messages and Section 8 for sending a message.

  1. The Sending Agent sends a message to one or more Email Policy Services in order to obtain the set of policies that it can apply to a message along with a security token to be used in proving the authorization. Details of the message send can be found in Section 7.1.
  2. The Email Policy Service examines the set of policies that it understands and checks to see if the requester is authorized to send messages with the policy.
  3. The Email Policy Service returns the set of policies and an security token to the Sending Agent. Details of the message sent can be found in Section 7.2.
  4. The Sending Agent selects the Email Policy(s) to be applied to the message, along with the set of recipients for the message.
  5. The Sending Agent relays the selected information to the Email Policy Service along with the security token. Details of this message can be found in Section 8.1.
  6. The Email Policy Service creates the recipient info attribute as defined in [EPS-CMS].
  7. The Email Policy Service returns the created attribute to the Sending Agent. Details of this message can be found in Section 8.2.
  8. The Sending Agent composes the CMS EnvelopedData content type placing the returned attribute into a KEKRecipientInfo structure and then send the message to the Mail Transport Agent.

3.2. Recieving Agent Processing

We layout the general steps that need to be taken by the sender of an EPS message. The numbers in the steps below refer to the numbers in the lower half of Figure 1. A more detailed description of the processing is found in Section 9.

  1. The Receiving Agent obtains the message from the Mail Transport Agent.
  2. The Receiving Agent starts to decode the message and in that process locates an EvelopedData content type which has a KEKRecipientInfo structure with a XXXX attribute.
  3. The Receiving Agent processes the SignedData content of the XXXX attribute to determine that communicating with it falls within accepted policy.
  4. The Receiving Agent transmits the content of the XXXX attribute to the referenced Email Policy Service. The details of this message can be found in Section 9.1.
  5. The Email Policy Service decrypts the content of the message and applies the policy to the credentials provided by the Receiving Agent.
  6. If the policy passes, the Email Policy Service returns the appropriate key or RecipientInfo structure to the Receiving Agent. Details of this message can be found in Section 9.2.
  7. The Receiving Agent proceeds to decrypt the message and perform normal processing.

4. Protocol Overview

The protocol defined in this document is designed to take place between a Plasma server and a Plasma client. The protocol takes place in terms of a request/response dialog from the client to the server. A single dialog can consist of more than one request/response message pair. Multiple round trips within allow a client to provide additional authentication, authorization and attribute information to the server.

Each dialog contains one or more action attributes specifying what actions the client wishes the server to take. Depending on the action requested, additional attributes may be present providing data for the action to use as input. Finally, each dialog will contain authentication and attributes supplied by one or more authorities that the server can use either as input to the action or as input to policy decisions about whether to perform the action.

The protocol MUST be run over a secure transport, while the protocol allows for signature operations to occur on sections of the message structure, the secure transport is responsible for providing the confidentiality and integrity protection services over the entire message.

Multiple dialogs may be run over a single secure transport. Before a new dialog may be started, the previous dialog MUST have completed to a state of success, failure or not applicable. A new dialog MUST NOT be started after receiving a response with an indeterminate status. This is an indicator that the dialog has not yet completed.

Plasma compliant implementations MUST support TLS 1.1 [RFC4346] and above as secure transports. Implementations SHOULD NOT allow for the use of TLS 1.0 or SSL. Other secure transports MAY be implemented.

5. Plasma Request

The specification is written using XACML as the basic structure to frame a request for an operation. The request for operations to occur are written using XACML action items. This specification defines actions specific to Plasma in a CMS environment. Other specifications can define additional action items for other environments (for example the XML encryption environment) or other purposes. (Future work could use this basic structure to standardize the dialogs between PDPs and PAPs or to facilitate legal signatures on emails.)

In addition to the XACML action request there is a set of structures to allow for a variety of authentication mechanisms to be used. By allowing for the use of SAML and GSS-API as base authentication mechanisms, the mechanism used is contained in a sub-system and thus does not directly impact the protocol.

The request message uses a single XML structure. This structure is the eps:PlasmaRequest object. The XML Schema used to describe this structure is:

  <xs:element name="PlasmaRequest" type="eps:RequestType"/>
  <xs:complexType name="RequestType">
    <xs:sequence>
      <xs:element ref="eps:Authentication" minOccurs="0"/>
      <xs:element ref="xacml:Request"/>
    </xs:sequence>
    <xs:attribute name="Version" type="xs:string" default="1.0"/>
  </xs:complexType>

The RequestType has two elements in it:

Authentication
is an optional element that holds the structures used for doing authentication and authorization. Unless no authentication is required by the Plasma server, the element is going to exist for one or more requests in the dialog.
xacml:Request
is a required element that contains the control information for the action requested. The control information takes the form of an action request plus additional data to be used as part of the action request. The data and actions are to be treated as self-asserted, that is they are deemed not to come from a reliable source even in the event that an authentication is successfully completed. As self-asserted values, Plasma servers need to exercise extreme care about which are included in the policy enforcement decisions. As an example, it makes sense to allow for the action identifier to be included in the policy enforcement, but assertions about the identity of the subject should be omitted. This element is taken from the XACML specification.

For some operations, display string values are returned as part of the response from the server. The xml:lang attribute SHOULD be included in the RequestType element to inform the server as to what language client wishes to have the strings in. The server SHOULD attempt to return strings in the language requested or a related language if at all possible.

5.1. Authentication Element

One of the major goals in the Plasma work is to detach the process of authentication specifics from the Plasma protocol. In order to accomplish this we are specifying the use of two general mechanisms (SAML and GSS-API) which can be configured and expanded without changing the core Plasma protocol itself. The authentication element has two main purposes: 1) to process the authentication being used by the client and 2) to carry authenticated attributes for use in the policy evaluation.

When transporting the authentication information, one needs to recognize that there may be a single or multiple messages in the dialog in order to complete the authentication process. In performing the process of authenticating, any or all of the elements in this structure can be used. If there are multiple elements filled out, the server can choose to process the elements in any order. This means that the Plasma protocol itself does not favor any specific mechanism. The current set of mechanisms that are built into the Plasma specification are:

More than one authentication element can be present in any single message. This is because a client may need to provide more than one piece of data to a server in order to authenticate, for example a holder of key SAML Assertion along with a signature created with that key. Additionally a client may want to provide the server an option of different ways of doing the authentication. In a federated scenario, an X.509 certificate with a signature can be presented and the server may not be able to build a trust path to it's set of trust anchors. In this case the client may need to use the GSS-API/EAP protocol for doing the authentication. The client may want to provide the server with one or more SAML Assertion that binds a number of attributes to it's identities so that the server does not need to ask for those attributes at a later time. Finally, multiple entities may need to be validated (for example the user and the user's machine).

When transporting the attribute information, one needs to recognize that there may be single or multiple messages in the dialog in order to complete the authorization process. The server will return a status code of urn:oasis:names:xacml:1.0:status:missing-attribute in the event that one or more attributes are needed in order to complete the authorization process. The details on how XACML returns missing attribute information is found in Section 7.17.3 of [XACML]. When the list of attributes is returned, the client has two choices: 1) It can close the dialog, look for a source of the missing attributes and then start a new dialog, 2) it can just get an assertion for the missing attributes and send the new assertion as in a new request message within the same dialog. The decision of which process to use will depend in part on how long it is expected to take to get the new attribute assertion to be returned.

The same authentication data does not need to be re-transmitted to the server in a subsequent message within a single dialog. The server MUST retain all authenticated assertion information during a single dialog.

The schema for the Authentication element directly maps to the ability to hold the above elements. The schema for the Authentication element is:

  <xs:element name="Authentication" type="eps:AuthenticationType"/>
  <xs:complexType name="AuthenticationType">
    <xs:choice maxOccurs="unbounded">
      <xs:element ref="saml:Assertion"/>
      <xs:element name="GSSAPI" type="xs:hexBinary"/>
      <xs:element name="WS-Token">
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="xs:hexBinary">
              <xs:attribute name="tokenType" type="xs:anyURI"/>
            </xs:extension>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
      <xs:element ref="ds2:Signature"/>
      <xs:element name="Other">
        <xs:complexType>
          <xs:sequence>
            <xs:any namespace="##other"/>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
    </xs:choice>
  </xs:complexType>

The schema allows for multiple authentication elements to occur in any order. It is suggested, but not required, that the ds2:Signature element occur after the authentication element that has an assoicated key. This makes it easier for servers to make a one pass validate of all authentication elements.

The Other element is provided to allow for additional authentication elements, include SAML version 1.1, to be used.

5.1.1. SAML Assertion

SAML Assertions can provide authentication or attribute information to the server. A SAML statement only needs to be provided once during a single dialog, the server MUST remember all attributes during the dialog.

When a SAML Assertion contains a SubjectConformation element using the KeyInfoConfirmationDataType as a subject conformation element, the confirmation shall be performed by the creation of an XML Signature authentication element. The signature element shall be created using an appropriate algorithm for the key referenced in the SAML statement.

Identify a SAML statement in the delegation/subject/environment space - need text for this

5.1.2. WS Trust Tokens

WS Trust tokens are used in two different ways by this specification. They can be used as the primary introduction method of a client to the server, or they can be used by the server to allow the client to be re-introduced to the server in such a way that the server can use cached information.

WS Trust tokens come in two basic flavors: Bearer tokensSection 5.1.3 provides necessary infrastructure to permit the cryptographic result to be passed to the server.

This document does not define the content or structure of any tokens to be used. This is strictly an implementation issue for the servers in question. This is because the client can treat the WS Token value presented to it as an opaque blob.

wst:TokenType
SHOULD be returned if more than one type of token is used by the set of servers. If a token type is returned to the client, the client MUST include the element when the token is returned to the server.
wst:BinarySecret
SHOULD be returned for moderate duration tokens. If a binary secret is returned then the client MUST provide protection for the secret value. When a binary secret has been returned, then the client MUST create either a signature or MAC value and place it into the Signature element Section 5.1.3.
wst:Lifetime
MUST be returned with the wsu:Expires element set. The wsu:Created element MAY be included. The element provides the client a way to know when a token is going to expire and obtain a new one as needed.

5.1.3. XML Signature Element

When a holder of key credential is used to determine the attributes associated with an entity, there is a requirement that the key be used in a proof of possession step so that the Plasma server can validate that the entity does hold the key. The credentials can hold either asymmetric keys (X.509 certificates and SAML Assertions) or symmetric keys (WS Trust Tokens and SAML Assertions) which use Digital Signatures or Message Authentication Codes (MACs) respectively to create and validate a key usage statement. The XML signature standard [XML-Signature] provides an infrastructure to for conveying the proof of possession information.

The signature is computed over the XACML request element as a detached signature. When a signature element exists in the message, the ChannelBinding attribute (Section 10.1.1) MUST be included in the request. By the use of a value which is derived from the cryptographic keys used in for protecting the tunnel, it is possible for the server to verify that the authentication values computed were done specifically for this specific dialog and are not replayed.

When creating either a signature or a MAC, the following statements hold:

5.1.4. GSS-API Element

TBD - rules for using GSS-API in general and the EAP version from ABFAB particularly.

5.2. xacml:Request Element

The request for an action to be performed by the Plasma server along with the data that needs to be supplied by the client in order for the server to complete the action are placed into the xacml:Request element of the request. This document defines a set of actions that are to be understood by the Plasma server. One (or more) action is to be placed in the request message.

In addition to the request for a specific action to occur, the client can place additional attributes in the request as well. These attributes are provided in order to assist the server either in identifying who the various agents on the client side are or to provide suggestions of attributes for using in making control decisions. Any data provided by the client in this manner is to be considered as a self-asserted value and to be treated as if it comes from the client as oppose to a trusted attribute agent.

For convenience the schema for the xacml:Request element is reproduced here:

<xs:element name="Request" type="xacml:RequestType"/>
<xs:complexType name="RequestType">
  <xs:sequence>
    <xs:element ref="xacml:RequestDefaults" minOccurs="0"/>
    <xs:element ref="xacml:Attributes" maxOccurs="unbounded"/>
    <xs:element ref="xacml:MultiRequests" minOccurs="0"/>
  </xs:sequence>
  <xs:attribute name="ReturnPolicyIdList" type="xs:boolean" use="required"/>
  <xs:attribute name="CombinedDecision" type="xs:boolean" use="required"/>
</xs:complexType>

The RequestDefaults element of the XACML Request MUST be omitted by the clients. If present servers MUST ignore the RequestDefaults element. The use of the MultiRequest element is current not defined for a Plasma server and SHOULD be omitted by clients.

Clients MAY set ReturnPolicyIdList to true in order to find out which policies where used by the server in making the decision. Server MAY ignore this field and not return the policy list even if requested.

A number of different entities may need to be identified to Plasma server as part of a request. These entities include:

  1. The subject making the request to the server.
  2. The machine on the subject is using.
  3. The entity the subject is acting for. Converse about Delegation.

6. Plasma Response Element

There is a single top level structure that is used by the server to respond to a client request.

The XML Schema used to describe the top level response is as follows:

  <xs:element name="PlasmaResponse" type="eps:ResponseType"/>
  <xs:complexType name="ResponseType">
    <xs:sequence>
      <xs:element ref="xacml:Response"/>
      <xs:element ref="eps:PlasmaReturnToken" minOccurs="0" maxOccurs="unbounded"/>
    </xs:sequence>
    <xs:attribute name="Version" type="xs:string" default="1.0"/>
  </xs:complexType>
  <xs:element name="PlasmaReturnToken" type="eps:PlasmaReturnTokenType" abstract="true"/>
  <xs:complexType name="PlasmaReturnTokenType" abstract="true">
    <xs:attribute name="DecisionId"/>
  </xs:complexType>

A Plasma Response has two elements:

xacml:Response
is a mandatory element that returns the status of the access request.
PlasmaReturnToken
is an optional element that will return one or more PlasmaReturnToken elements. These tokens represent the answer, for a success, of the request.

A Plasma Return Token is the base type from which return values are derived. The optional attribute Decision is defined for correlation of requests and results in the event that multiple requests are made. This document defines the following items that are derived from this type:

6.1. xacml:Response Element

The xacml:Response element has the ability to return both a decision, but additionally information about why a decision was not made.

The schema for the xacml:Response element is reproduced here for convenience:

<xs:element name="Response" type="xacml:ResponseType"/>
<xs:complexType name="ResponseType">
  <xs:sequence>
    <xs:element ref="xacml:Result" maxOccurs="unbounded"/>
  </xs:sequence>
</xs:complexType>

<xs:element name="Result" type="xacml:ResultType"/>
<xs:complexType name="ResultType">
  <xs:sequence>
    <xs:element ref="xacml:Decision"/>
    <xs:element ref="xacml:Status" minOccurs="0"/>
    <xs:element ref="xacml:Obligations" minOccurs="0"/>
    <xs:element ref="xacml:AssociatedAdvice" minOccurs="0"/>
    <xs:element ref="xacml:Attributes" minOccurs="0" maxOccurs="unbounded"/>
    <xs:element ref="xacml:PolicyIdentifierList" minOccurs="0"/>
  </xs:sequence>
</xs:complexType>

The xacml:Response element consists of one child the Result.

The xacml:Response element consists of the following elements:

xacml:Decision
is a mandatory element that returns the possible decisions of the access control decision. The set of permitted values are Permit, Deny, Indeterminate and No Policy.
xacml:Status
is an optional element returned for the Indeterminate status which provides for the reason that a decision was not able to be reached. Additionally it can contain hints for remedying the situation. This document defines a new set of status values to be returned. Formal declaration may be found in Section 12.

xacml:Obligations
is designed to force the PEP to perform specific actions prior to allowing access to the resource. If a response is returned with this element present, the processing MUST fail unless the PEP can perform the required action. A set of Plasma specific obligations are found in Section 10.2.
xacml:AssocatedAdvice
is designed to give suggestions to the PEP about performing specific actions prior to allowing access to the resource. This element is not used by Plasma and SHOULD be absent. If the response is returned with this element present, processing will succeed even if the PEP does not know how to perform the required action. A set of Plasma specific advice elements are found in Section 10.2.
xacml:Attributes
provides a location for the server to return attributes used in the access control evaluation process. Only those attributes requested in the Attributes section of the request are to be returned. Since Plasma does not generally supply attributes for the evaluation process, this field will normally be absent.
xacml:PolicyIdentifierList
provides a location to return the set of policies used to grant access to the resource. This element is expected to be absent for Plasma.

7. Role Token and Policy Acquisition

In order to send an email using a Plasma server, the first step is to obtain a role token that provides the description of the labels that can be applied and the authorization to send an email using one or more of the labels. The process of obtaining the role token is designed to be a request/response round trip to the Plasma server. In practice a number of round trips may be necessary in order to provide all of the identity and attributes to the Plasma server that are needed to evaluate the policies for the labels.

When a Plasma server receives a role token request from a client, it needs to perform a policy evaluation for all of the policies that it arbitrates along with all of the options for those policies. In general, the first time that a client requests a role token from the server, it will not know the level of authentication that is needed or the set of attributes that needs to be presented in order to get the set of tokens. A server MUST NOT issue a role token without first attempting to retrieve from an attribute source (either the client or a back end server) all of the attributes required to check all policies. Since the work load required on the server is expected to be potentially extensive for creating the role token, it is expected that the token returned will be valid for a period of time. This will allow for the frequency of the operation to be reduced. While the use of an extant role token can be used for identity proof, it is not generally suggested that a new token be issued without doing a full evaluation of the attributes of the client as either the policy or the set of client attributes may have changed in the mean time.

7.1. Role Token Request

The process starts by a client sending a server a role token request. Generally, but not always, the request will include some type of identity proof information and a set of attributes. It is suggested that, after the first successful conversation, the client cache hints about the identity and attributes needed for a server. This allows for fewer round trips in later conversations. An example of a request token can be found in Appendix Appendix B.

The role token request, as with all requests, uses the eps:PlasmaRequest XML structure. The eps:Authentication MAY be included on the first message and MUST be included on subsequent authentication round trips.

A role token request by a client MUST include the GetRoleTokens Plasma action request as an attribute of the xacml:Request element. Details on the action can be found in section Section 12.1. When role tokens are requested, no additional data needs to be supplied by the requester.

An example of a message requesting the set of policy information is:

<esp:PlasmaRequest>
  <eps:Authentication>...</eps:Authentication>
  <xacml:Request>
    <xacml:Attributes Category="...:action">
      <xacml:Attribute AttributeId="urn:plasma:action-id">
        <xacml:AttributeValue
           DataType="http://www.w3.org/2001/XMLSchema#string">
          GetRoleToken</xacml:AttributeValue>
      </xacml:Attribute>
    </xacml:Attributes>
  </xacml:Request>
</esp:PlasmaRequest>

7.2. Request Role Token Response

In response to a role token request, the Plasma server returns a role token response. The response uses the eps:PlasmaResponse XML structure. When a response is create the following should be noted:

An xacml:Decision is always included in a response. The values permitted are:

Permit
is used to signal success. In this case the response MUST include one or more eps:RoleToken element.
Deny
is used to signal failure. In this case the xacml:Status element MUST be present an contain a failure reason.
Indeterminate
is used to signal that a final result has not yet been reached. When this decision is reached, the server SHOULD return a list of additional attributes to be returned and SHOULD return the list of role tokens that have been granted based on the attributes received to that point.
NotApplicable
is returned if the Plasma server does not have the capability to issue role tokens.

An example of a response returning the set of policy information is:

<eps:PlasmaResponse>
  <xacml:Response>
    <xacml:Result>
      <xacml:Decision>Permit</xacml:Decision>
    </xacml:Result>
  </xacml:Response>
  <eps:PlasmaTokens>
    <eps:PlasmaToken>
      <eps:PolicyList>
        <eps:Policy>
          Details of a policy
        </eps:Policy>
        ... More policies ...
        <wst:RequestSecurityTokenResponse>
          <wst:TokenType>urn:...:plasma:roleToken</wst:TokenType>
          <wst:RequestedSecurityToken>...</wst:RequestedSecurityToken>
        </wst:RequestSecurityTokenResponse>
      </eps:PolicyList>
    </eps:PlasmaToken>
  </eps:PlasmaTokens>
</eps:PlasmaResponse>

In this example, the Email Policy Service is returning three different policies that can be used along with a security token and a key to be used with the token when sending an email.

7.2.1. RoleToken XML element

The eps:PlasmaTokens element is used to return one or more tokens to the client. Each token returned will contain one or more policies that can be asserted with the token and the token itself. Additionally the name of a Plasma server to be used with the token can be included as well as cryptographic information to be used with the token.

The schema used for the PlasmaTokens element is:

  <xs:element name="RoleToken" type="eps:RoleTokenType"/>
  <xs:complexType name="RoleTokenType">
    <xs:complexContent>
      <xs:extension base="eps:PlasmaReturnTokenType">
        <xs:sequence>
          <xs:element name="Name" type="xs:string"/>
          <xs:element name="PDP" type="xs:anyURI" maxOccurs="unbounded"/>
          <xs:choice>
            <xs:element name="PolicyList">
              <xs:complexType>
                <xs:sequence>
                  <xs:element name="Policy" type="eps:PolicyType" maxOccurs="unbounded"/>
                </xs:sequence>
              </xs:complexType>
            </xs:element>
            <xs:element ref="eps:Label"/>
          </xs:choice>
          <xs:element ref="wst:RequestSecurityTokenResponse"/>
          <xs:element ref="xacml:Obligations" minOccurs="0"/>
          <xs:element ref="xacml:AssociatedAdvice" minOccurs="0"/>
        </xs:sequence>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>
  <xs:complexType name="PolicyType">
    <xs:sequence>
      <xs:element name="Name" type="xs:string"/>
      <xs:element name="Options" minOccurs="0">
        <xs:complexType>
          <xs:complexContent>
            <xs:extension base="xs:anyType">
              <xs:attribute name="optionsType" type="xs:anyURI" use="required"/>
            </xs:extension>
          </xs:complexContent>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
    <xs:attribute name="PolicyId" type="xs:anyURI" use="required"/>
  </xs:complexType>
  <xs:element name="Label" type="eps:LabelType"/>
  <xs:complexType name="LabelType">
    <xs:sequence>
      <xs:choice maxOccurs="unbounded">
        <xs:element ref="eps:Label"/>
        <xs:element ref="eps:Leaf"/>
      </xs:choice>
    </xs:sequence>
    <xs:attribute name="CombiningRule" type="eps:CombiningRuleType" use="required"/>
  </xs:complexType>
  <xs:simpleType name="CombiningRuleType">
    <xs:restriction base="xs:string">
      <xs:enumeration value="and"/>
      <xs:enumeration value="or"/>
      <xs:enumeration value="except"/>
    </xs:restriction>
  </xs:simpleType>
  <xs:element name="Leaf" type="eps:LeafType"/>
  <xs:complexType name="LeafType">
    <xs:sequence>
      <xs:any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
    </xs:sequence>
    <xs:attribute name="Label" type="xs:string" use="required"/>
  </xs:complexType>

The eps:PlasmaTokens field will contain one or more eps:PlasmaToken elements.

The eps:PlasmaToken element contains the following items:

PDP
is an optional element. If the element is present, it provides one or more URLs to be used for containing a Plasma server for the purpose of sending a message. This element allows for the use of different Plasma servers for issuing role tokens and message tokens. No ranking of the servers is implied by the order of the URLs returned.
PolicyList
contains the description of one or more policies that can be asserted using the issued token. Any of the policies contained in the list may be combined together using the policy logic in constructing a label during the send message process.
Label
contains a single specific label. This element is returned as part of a read message token to allow for replies to be formulated by an entity that cannot generally originate a message using the policy.
wst:RequestSecurityTokenResponse
contains the actual token itself.

The eps:PolicyType type is used to represent the elements of a policy to the client. The elements in this type are:

Name
contains a display string that represents the policy. This element is localized in response to the TBD attribute in the TBD field.
Identifier
contains a "unique" identifier for the policy. This is the value that identifies the policy to the software. The type for the value is defined as a string and is expected to be either a URN, and Object Identifier or some equally unique identifier.
Options
allows for a set of options to be specified for the policy. The set of options is dependent on the policy and only those clients which have pre-knowledge of a policy are expected to be able to deal with them. The options can range from a simple yes/no selection to a list of strings. An example of using options is provided by the basic policies defined in [TBD] where a set of RFC 822 names is provided.

When building the wst:RequestSecurityTokenResponse element, the following should be noted:

8. Sending An Email

After having obtained a role token from a Plasma server, the client can then prepare to send an Email by requesting a message token from the Plasma server. As part of the preparatory process, the client will construct the label to be applied to the Email from the set of policies that it can assert, determine the optional elements for those policies which have options, generate the random key encryption key and possible create the key recipient structures for the email. Although this section is written in terms of a CMS Encrypted message, there is nothing to prevent the specification of different formats and still use this same basic protocol. An example of a request token exchange can be found in Appendix Appendix D.

8.1. Send Message Request

The send message request is built using the eps:PlasmaRequest XML structure. When building the request, the following applies:

<eps:PlasmaRequest>
  <eps:Authentication>
    <eps:WS_Token>
      Role Token goes here
    </eps:WS_Token>
    <xacml:Request>
      <xacml:Attributes Category="...:action">
        <xacml:Attribute AttributeId="urn:plasma:action-id">
          <xacml:AttributeValue>
            GetSendCMSToken
          </xacml:AttributeValue>
        </xacml:Attribute>
      </xacml:Attributes>
      <xacml:Attributes Category="...:data">
        <xcaml:Attribute AttributeId="urn:plasma:data-id">
          <xacml:AttributeValue>
            Label and keys
          </xacml:AttributeValue>
        </xcaml:Attribute>
      </xacml:Attributes>
    </xacml:Request>
  </eps:Authentication>
</eps:PlasmaRequest>

An example of a message returning the set of policy information is:

8.1.1. CMS Message Token Data Structure

The message token data structure is used as an attribute to carry the necessary information to issue a CMS message token. The schema that describes the structure is:

  <xs:element name="MessageTokenRequest" type="eps:MessageTokenRequestType"/>
  <xs:complexType name="MessageTokenRequestType">
    <xs:sequence>
      <xs:choice>
        <xs:element ref="eps:Label"/>
        <xs:element ref="eps:Leaf"/>
      </xs:choice>
      <xs:element name="Hash">
        <xs:complexType>
          <xs:sequence>
            <xs:element ref="ds2:DigestMethod"/>
            <xs:element ref="ds2:DigestValue"/>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
      <xs:element name="Recipient" type="eps:RecipientInfoType" minOccurs="0" maxOccurs="unbounded"/>
      <xs:element name="KEK" minOccurs="0">
        <xs:complexType>
          <xs:sequence>
            <xs:element name="Identifer" type="xs:hexBinary"/>
            <xs:element name="Value" type="xs:hexBinary"/>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
  <xs:element name="RecipientInfo" type="eps:RecipientInfoType"/>
  <xs:complexType name="RecipientInfoType">
    <xs:sequence>
      <xs:element name="Subject" maxOccurs="unbounded">
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="xs:anySimpleType">
              <xs:attribute name="type" type="xs:string" use="required"/>
            </xs:extension>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
      <xs:element name="LockBox" type="xs:hexBinary"/>
    </xs:sequence>
  </xs:complexType>

When used in an xacml:Attribute, the structure is identified by:

Category = "urn:oasis:name:tc:xacml:3.0:attribute-category:data"
AttributeId = "urn:ietf:plasma:data-id"
DataType = "http://www.w3.org/2001/XMLSchema#anyType"

The elements of the structure are used as:

RoleToken
contains the previously issued role token which provides the authorization to use the policies in the label.
Label
contains the label to be applied to the message.
Recipients
is an optional element that contains one or more recipient info structures.
KEK
is an optional element that contains the KEK to decrypt the CMS lock box.

One or both of KEK and Recipients MUST be present.

The elements of the RecipientInfoType structure are:

Subject
contains a subject identifier. Since a CMS recipient info structure does not contain a great deal of information about the recipient, this element contains a string which can be used to identify the subject. This will normally be an RFC 822 name. Multiple subject names can be provided for a single lock box. This allows for the use a KEK value that is shared among the set of recipients but not the Plasma server.
LockBox
contains a hex encoded CMS Recipient Info structure. If the recipient info structure is placed here, it MUST NOT be placed in the CMS EnvelopedData structure as well.

8.2. Send Message Response

In response to a send message request, the Plasma server returns a send message response message. The response messages uses the eps:PlasmaResponse XML structure. When the response message is created, the following should be noted:

<eps:PlasmaResponse>
  <xacml:Response>
    <xacml:Result>
      <xacml:Decision>Permit</xacml:Decision>
    </xacml:Result>
  </xacml:Response>
  <eps:CMSToken>234e34d3</eps:CMSToken>
</eps:PlasmaResponse>

An example of a message returning the set of policy information is:

The schema use for returning a CMS token is:

  <xs:element name="CMSToken" type="eps:CMSTokenResponseType"/>
  <xs:complexType name="CMSTokenResponseType">
    <xs:complexContent>
      <xs:extension base="eps:PlasmaReturnTokenType"/>
    </xs:complexContent>
  </xs:complexType>

This schema extends the Plasma response token type and restricts the content to a hex encoded binary value. The hex encoded binary value is a the CMS SignedData structure that is the Plasma Key Attribute value to be encoded in the CMS KEKRecipientInfo structure (for details see [EPS-CMS]).

9. Decoding A Message

When the receiving agent is ready to decrypt the email, it identifies that there is a KEKRecipientInfo object which contains a key attribute identified by id-keyatt-eps-token. It validates the signature, determines that communicating with the Email Policy Service is within local policy, and then sends a request to the service to obtain the encryption key for the message.

In some cases the recipient of a message is not authorized to use the same set of labels for sending a message. For this purpose a token can be returned in the message along with the key so that recipient of the can reply to the message using the same set of security labels.

9.1. Requesting Message Key

The client sends a request to the Plasma server that is identified in the token. For the CMS base tokens, the address of the Plasma server to use is defined in [EPS-CMS] this is located in the aa-eps-url attribute.

The request uses the eps:PlasmaRequest XML structure. When building the request, the following should be noted:

<eps:PlasmaRequest>
  <eps:Authentication>...</eps:Authentication>
  <xacml:Request>
    <xacml:Attributes Category="...:action">
      <xacml:Attribute AttributeId="..:action-id">
        <xacml:AttributeValue>ParseCMSToken</xacml:AttributeValue>
      </xacml:Attribute>
    </xacml:Attributes>
    <xacml:Attribute Category="...:data">
      <xacml:Attribute AttreibuteId="..:data-id">
        <xacml:AttributeValue>
          Hex encoded CMS Token Value
        </xacml:AttributeValue>
      </xacml:Attribute>
    </xacml:Attribute>
  </xacml:Request>
</eps:PlasmaRequest>

An example of a message returning the set of policy information is:

9.2. Requesting Message Key Response

In response to a message key request, the Plasma server returns a decrypted key in the message key response. The response message uses the eps:Plasma XML structure. When a response message is create the following should be noted:

<eps:PlasmaResponse>
  <xacml:Response>
    <xacml:Result>
      <xacml:Decision>Permit</xacml:Decision>
    </xacml:Result>
  </xacml:Response>
  <eps:CMSKey>
    <eps:DisplayString>Label TExt</eps:DisplayString>
    <eps:KEK>hex based KEK</eps:KEK>
  </eps:CMSKey>
</eps:PlasmaResponse>

An example of a message returning the set of policy information is:

The schema for returning the decrypted key is:

  <xs:element name="CMSKey" type="eps:CMSKeyResponseType"/>
  <xs:complexType name="CMSKeyResponseType">
    <xs:complexContent>
      <xs:extension base="eps:PlasmaReturnTokenType">
        <xs:sequence>
          <xs:element name="DisplayString" type="xs:string"/>
      <xs:choice>
        <xs:element name="KEK" type="xs:hexBinary"/>
        <xs:element name="KEKIdentifier" type="xs:hexBinary"/>
        <xs:element ref="eps:RecipientInfo"/>
      </xs:choice>
      <xs:element ref="eps:RoleToken" minOccurs="0"/>
      <xs:element name="EncryptionRequestor" type="xs:string"/>
        </xs:sequence>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>

This schema extends the Plasma response token type and restricts the content to the listed elements. The values returned are:

DisplayString
returns a localized display string for the policy(s) which were applied to the message. The lang attribute on the request is used to determine which language to use for this string.
KEK
returns the base64 encoded key encryption key.
eps:RecipientInfo
returns the encrypted key in the form of a CMS RecipientInfo structure

10. Plasma Attributes

In this document a number of different XAMCL attributes have been defined, this section provides a more detailed description of these elements.

10.1. Data Attributes

10.1.1. Channel Binding Data Attribute

The channel binding data attribute is used to provide for a binding of the TLS session that is being used to transport the Plasma messages with the content of the Plasma requests themselves. There is a need for the server to be able to validate that the cryptographic operations related to holder of key statements be made specifically for the current conversation and not be left over from a previous one as a replay attack. By deriving a cryptographic value from the shared TLS session key and signing that value we are able to do so.

The channel binding value to be used is created by the TLS key exporter specification defined in RFC 5705 [RFC5705]. This allows for a new cryptographic value to be derived from the existing shared secret key with additional input to defined the context in which the key is being derived. When using the exporter, the label to be input into the key exporter is "EXPORTER_PLASMA". The value to be derived will be 512 bits in length, and no context is provided to the exporter.

When used as an XACML attribute in a request:

The same value is used for both the XACML channel binding data attribute and the XML channel binding structure defined in Section 5.1.3.

10.1.2. CMS Signer Info Data Attribute

In many cases a policy stays that the client is required to sign the message before encrypting it. The server cannot verify that a signature is applied to the message and included, but we can require that a signature be supplied to the server. This signature can then be validated by the server (except for the message digest attribute value), and the server can take a hash of the value and return it as part of the key returned to a decrypting agent. This agent can then validate that the signature is a part of the message and complain if it absent. This means we do not have an enforcement mechanism, but we do have a way of performing an audit at a later time to see that the signature operation was carried out correctly.

By requiring that a signature be supplied to the server as part of the authentication process, the Plasma server can also be setup so that the supplied signature is automatically setup for archival operations. One way to do archiving is to use the data records defined in [RFC4998].

The following applies when this data value is present:

10.1.3. S/MIME Capabilities Data Attribute

Policies sometimes require that specific algorithms be used in order to meet the security needs of the policy. This attribute allows for an S/MIME Capabilities to be carried in a DER encoded SMIMECapabilities ASN.1 structure to be transmitted to the client. Details on how the S/MIME Capabilities function can be found in [SMIME-MSG].

The following attributes are to be set for the data value:

10.2. Obligations and Advice

Obligations and advice consist of actions that the Plasma server either requires or requests that the client PEP perform in order to gain access or before granting access to the data. These normally represent actions or restrictions that the PDP itself cannot enforce and thus are not input attributes to the policy evaluation. The same set of values can be used either as obligations or advice, the difference being that if the PEP cannot do an obligation it is required to change the policy decision.

10.2.1. Signature Required

Many policies require that a message be signed before it is encrypted and sent. Since the unencrypted version of message is not sent to the Plasma server, the policy cannot verify that a signature has been placed onto the signed message. The attribute is not for use as a returned obligation from an XACML decisions, rather it is for a pre-request obligations used in role responses (Section 7.2).

When used as an Obligation:

10.2.2. Encryption Required

Occasionally a policy requires a specific set of encryption algorithms be used for a message, when this is the case then the encryption required obligation is included in the returned set of obligations. If the default set of encryption algorithms is sufficient then the obligation is omitted.

When used as an Obligation:

11. Security Considerations

To be supplied after we have a better idea of what the document looks like.

12. IANA Considerations

We define the following name spaces

New name space for the plasma documents urn:ietf:params:xml:ns:plasma

12.1. Plasma Action Values

A new registry is established for Plasma server action identifiers using the tag "action-id". The full urn for the registry is "urn:ietf:params:xml:ns:plasma:actions". This registry operates under a specification required policy. All entries in this registry require the following elements:

The registry will be initially populated with the following:

Action Id Input Structure Output Structure
GetRoleTokens none eps:RoleToken
GetSendCMSToken eps:MessageTokenRequest eps:CMSToken
ParseCMSToken eps:CMSToken eps:CMSKeyToken
GetReplyToken none eps:RoleToken

When these actions are placed in an xacml:Request,

12.2. non

Define a new data name space urn:ietf:params:xml:ns:plasma:data-id

Define a new name space for status codes at urn:ietf:params:xml:ns:plasma:status. The initial set of values is

authentication-error
This identifier indicates that the authentication methods failed to successfully complete.

Define a new name space for obligations. The same namespace will be used both for obligations and for advice and the values may appear in either section.

signature-required
This identifier indicates that that the encrypted body must contain a signature element. The data value of this type shall be "http://www.w3.org/2001/XMLSchema#hexBinary" and the data structure shall consist of a DER encoded CMSCapabilities structure [SMIME-MSG] with the list of permitted signature algorithms. If there are no restrictions on the algorithms or the restriction is implicit, then the data value MAY be omitted.
encryption-algorithms
see above
ambigous-identity
The identity of the client is either not stated in a form the Plasma server understands, or there are multiple identities in the authentication data. To remedy this situation, the client includes an explicit identity in the xacml:Reqeust element.

We define a schema in appendix A at urn:ietf:params:xml:schema:plasma-RFCTBD

Define a new Status Code for use in the Status URI field.

13. Open Issues

List of Open Issues:

14. References

14.1. Normative References

[ABFAB] Hartman, S. and J. Howlett, "A GSS-API Mechanism for the Extensible Authentication Protocol", Work In Progress draft-ietf-abfab-gss-eap-04, Oct 2011.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[EPS-CMS] Schaad, J., "Email Policy Service ASN.1 Processing", Work In Progress draft-schaad-plamsa-cms, Jan 2011.
[XML-Signature] Roessler, T., Reagle, J., Hirsch, F., Eastlake, D. and D. Solo, "XML Signature Syntax and Processing (Second Edition)", World Wide Web Consortium Recommendation REC-xmldsig-core-20080610, June 2008.
[XML-C14N11] Boyer, J. and G. Marcy, "Canonical XML Version 1.1", World Wide Web Consortium Recommendation REC-xml-c14n11-20080502, May 2008.
[WS-TRUST] Lawrence, K, Kaler, C, Nadalin, A, Goodner, M, Gudgin, M, Barbir, A and H Granqvist, "WS-Trust 1.4", OASIS Standard ws-trust-200902, March 2007.
[XACML] Rissanen, E, "eXtensible Access Control Markup Language (XACML) Version 3.0", OASIS Standard xacml-201008, August 2010.
[Plasma] Freeman, T., Schaad, J. and P. Patterson, "Requirements for Message Access Control", Work in progress draft-freeman-message-access-control, October 2011.
[OASIS-CORE] Cantor, S., Kemp, J., Philpott, R. and E. Maler, "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0", OASIS Standard saml-core-2.0-os, March 2005.
[RFC5705] Rescorla, E., "Keying Material Exporters for Transport Layer Security (TLS)", RFC 5705, March 2010.
[SMIME-MSG] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification", RFC 5751, January 2010.

14.2. Informative References

[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006.
[RFC4998] Gondrom, T., Brandner, R. and U. Pordesch, "Evidence Record Syntax (ERS)", RFC 4998, August 2007.
[SAML-XACML] Anderson, A. and H. Lockhart, "SAML 2.0 profile of XACML v2.0", OASIS Standard access_control-xacml-2.0-saml-profile-spec-os.pdf, February 2005.
[SOAP11] Box, D, Ehnebuske, D, Kakivaya, G, Layman, A, Mendelsohn, N, Nielsen, H, Thatte, S and D Winer, "Simple Object Access Protocol (SOAP) 1.1", W3C NOTE NOTE-SOAP-20000508, May 2000.
[SOAP12] Lafon, Y., Gudgin, M., Hadley, M., Moreau, J., Mendelsohn, N., Karmarkar, A. and H. Nielsen, "SOAP Version 1.2 Part 1: Messaging Framework (Second Edition)", World Wide Web Consortium Recommendation REC-soap12-part1-20070427, April 2007.

Appendix A. XML Schema

This appendix represents the entirety of the XML Schema for Plasma documents.

<?xml version="1.0" encoding="UTF-8"?>
<!-- edited with XMLSpy v2007 sp2 (http://www.altova.com) by James Schaad (exmsft) -->
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:eps="urn:ietf:schema:plasma:1.0" xmlns:ds2="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" targetNamespace="urn:ietf:schema:plasma:1.0" elementFormDefault="qualified" attributeFormDefault="unqualified">
  <xs:annotation>
    <xs:documentation>
    The PlasmaRequest element is one of two top level elements defined by this XSD schema.
    The PlasmaRequest element is sent from the client to the server in order to 
  </xs:documentation>
  </xs:annotation>
  <xs:element name="PlasmaRequest" type="eps:RequestType"/>
  <xs:complexType name="RequestType">
    <xs:sequence>
      <xs:element ref="eps:Authentication" minOccurs="0"/>
      <xs:element ref="xacml:Request"/>
    </xs:sequence>
    <xs:attribute name="Version" type="xs:string" default="1.0"/>
  </xs:complexType>
  <xs:element name="PlasmaResponse" type="eps:ResponseType"/>
  <xs:complexType name="ResponseType">
    <xs:sequence>
      <xs:element ref="xacml:Response"/>
      <xs:element ref="eps:PlasmaReturnToken" minOccurs="0" maxOccurs="unbounded"/>
    </xs:sequence>
    <xs:attribute name="Version" type="xs:string" default="1.0"/>
  </xs:complexType>
  <xs:element name="PlasmaReturnToken" type="eps:PlasmaReturnTokenType" abstract="true"/>
  <xs:complexType name="PlasmaReturnTokenType" abstract="true">
    <xs:attribute name="DecisionId"/>
  </xs:complexType>
  <!--  <xs:element name="RequestRoles">
    <xs:complexType>
      <xs:sequence>
        <xs:element ref="eps:Authentication" minOccurs="0"/>
        <xs:element name="Identity" type="xs:string"/>
      </xs:sequence>
    </xs:complexType>
  </xs:element>
  <xs:element name="RequestMessageData">
    <xs:complexType>
      <xs:sequence>
        <xs:element name="Label" type="eps:LabelType"/>
        <xs:element name="RoleToken"/>
        <xs:element name="Recipients"/>
      </xs:sequence>
    </xs:complexType>
  </xs:element>
  <xs:element name="ReadMessage"/> -->
  <xs:element name="Authentication" type="eps:AuthenticationType"/>
  <xs:complexType name="AuthenticationType">
    <xs:choice maxOccurs="unbounded">
      <xs:element ref="saml:Assertion"/>
      <xs:element name="GSSAPI" type="xs:hexBinary"/>
      <xs:element name="WS-Token">
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="xs:hexBinary">
              <xs:attribute name="tokenType" type="xs:anyURI"/>
            </xs:extension>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
      <xs:element ref="ds2:Signature"/>
      <xs:element name="Other">
        <xs:complexType>
          <xs:sequence>
            <xs:any namespace="##other"/>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
    </xs:choice>
  </xs:complexType>
  <xs:element name="RoleToken" type="eps:RoleTokenType"/>
  <xs:complexType name="RoleTokenType">
    <xs:complexContent>
      <xs:extension base="eps:PlasmaReturnTokenType">
        <xs:sequence>
          <xs:element name="Name" type="xs:string"/>
          <xs:element name="PDP" type="xs:anyURI" maxOccurs="unbounded"/>
          <xs:choice>
            <xs:element name="PolicyList">
              <xs:complexType>
                <xs:sequence>
                  <xs:element name="Policy" type="eps:PolicyType" maxOccurs="unbounded"/>
                </xs:sequence>
              </xs:complexType>
            </xs:element>
            <xs:element ref="eps:Label"/>
          </xs:choice>
          <xs:element ref="wst:RequestSecurityTokenResponse"/>
          <xs:element ref="xacml:Obligations" minOccurs="0"/>
          <xs:element ref="xacml:AssociatedAdvice" minOccurs="0"/>
        </xs:sequence>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>
  <xs:complexType name="PolicyType">
    <xs:sequence>
      <xs:element name="Name" type="xs:string"/>
      <xs:element name="Options" minOccurs="0">
        <xs:complexType>
          <xs:complexContent>
            <xs:extension base="xs:anyType">
              <xs:attribute name="optionsType" type="xs:anyURI" use="required"/>
            </xs:extension>
          </xs:complexContent>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
    <xs:attribute name="PolicyId" type="xs:anyURI" use="required"/>
  </xs:complexType>
  <xs:element name="Label" type="eps:LabelType"/>
  <xs:complexType name="LabelType">
    <xs:sequence>
      <xs:choice maxOccurs="unbounded">
        <xs:element ref="eps:Label"/>
        <xs:element ref="eps:Leaf"/>
      </xs:choice>
    </xs:sequence>
    <xs:attribute name="CombiningRule" type="eps:CombiningRuleType" use="required"/>
  </xs:complexType>
  <xs:simpleType name="CombiningRuleType">
    <xs:restriction base="xs:string">
      <xs:enumeration value="and"/>
      <xs:enumeration value="or"/>
      <xs:enumeration value="except"/>
    </xs:restriction>
  </xs:simpleType>
  <xs:element name="Leaf" type="eps:LeafType"/>
  <xs:complexType name="LeafType">
    <xs:sequence>
      <xs:any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
    </xs:sequence>
    <xs:attribute name="Label" type="xs:string" use="required"/>
  </xs:complexType>
  <xs:element name="MessageTokenRequest" type="eps:MessageTokenRequestType"/>
  <xs:complexType name="MessageTokenRequestType">
    <xs:sequence>
      <xs:choice>
        <xs:element ref="eps:Label"/>
        <xs:element ref="eps:Leaf"/>
      </xs:choice>
      <xs:element name="Hash">
        <xs:complexType>
          <xs:sequence>
            <xs:element ref="ds2:DigestMethod"/>
            <xs:element ref="ds2:DigestValue"/>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
      <xs:element name="Recipient" type="eps:RecipientInfoType" minOccurs="0" maxOccurs="unbounded"/>
      <xs:element name="KEK" minOccurs="0">
        <xs:complexType>
          <xs:sequence>
            <xs:element name="Identifer" type="xs:hexBinary"/>
            <xs:element name="Value" type="xs:hexBinary"/>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
  <xs:element name="RecipientInfo" type="eps:RecipientInfoType"/>
  <xs:complexType name="RecipientInfoType">
    <xs:sequence>
      <xs:element name="Subject" maxOccurs="unbounded">
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="xs:anySimpleType">
              <xs:attribute name="type" type="xs:string" use="required"/>
            </xs:extension>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
      <xs:element name="LockBox" type="xs:hexBinary"/>
    </xs:sequence>
  </xs:complexType>
  <xs:element name="CMSKey" type="eps:CMSKeyResponseType"/>
  <xs:complexType name="CMSKeyResponseType">
    <xs:complexContent>
      <xs:extension base="eps:PlasmaReturnTokenType">
        <xs:sequence>
          <xs:element name="DisplayString" type="xs:string"/>
      <xs:choice>
        <xs:element name="KEK" type="xs:hexBinary"/>
        <xs:element name="KEKIdentifier" type="xs:hexBinary"/>
        <xs:element ref="eps:RecipientInfo"/>
      </xs:choice>
      <xs:element ref="eps:RoleToken" minOccurs="0"/>
      <xs:element name="EncryptionRequestor" type="xs:string"/>
        </xs:sequence>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>
  <xs:element name="CMSToken" type="eps:CMSTokenResponseType"/>
  <xs:complexType name="CMSTokenResponseType">
    <xs:complexContent>
      <xs:extension base="eps:PlasmaReturnTokenType"/>
    </xs:complexContent>
  </xs:complexType>
</xs:schema>

Appendix B. Example: Get Roles Request

This section provides an example of a request message to obtain the set of roles for an individual named 'bart@simpsons.com'. The authentication provided in this is a SAML statement included in the SAML_Collection element.

<?xml version="1.0" encoding="UTF-8"?>
<PlasmaRequest xmlns="urn:ietf:schema:plasma:1.0" 
  xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
  <Authentication>
    <SAML_Collection>...</SAML_Collection>
  </Authentication>
  <xacml:Request CombinedDecision="false" ReturnPolicyIdList="false">
    <xacml:Attributes Category="urn:oasis:names:tc:xacml:1.0:subect-category:access-subject">
      <xacml:Attribute IncludeInResult="false" 
        AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
        <xacml:AttributeValue 
          DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">bart@simpsons.com</xacml:AttributeValue>
      </xacml:Attribute>
    </xacml:Attributes>
    <xacml:Attributes Category="urn:oasis:names:tc:xaml:3.0:attribute-catagory:action">
      <xacml:Attribute IncludeInResult="false" AttributeId="urn:plasma:action-id">
        <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GetRoleTokens</xacml:AttributeValue>
      </xacml:Attribute>
    </xacml:Attributes>
  </xacml:Request>
</PlasmaRequest>

Appendix C. Example: Get Roles Response

This section provides an example response to a successful request for a role sets.

<?xml version="1.0" encoding="UTF-8"?>
<PlasmaResponse xmlns="urn:ietf:schema:plasma:1.0"
  xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 
  xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" 
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <xacml:Response>
    <xacml:Result>
      <xacml:Decision>Permit</xacml:Decision>
    </xacml:Result>
  </xacml:Response>
  <PlasmaTokens>
    <PlasmaToken>
      <PDP>https://pdp.example.com/companyPolicies</PDP>
      <PolicyList>
        <Policy>
          <Name>Company Confidential</Name>
          <Identifier>urn:example:policies:confidential</Identifier>
        </Policy>
        <Policy>
          <Name>Plasma Project</Name>
          <Identifier>urn:example:policies:plasma</Identifier>
        </Policy>
      </PolicyList>
      <wst:RequestSecurityTokenResponse>
        <wst:TokenType>urn:plasma:roleToken</wst:TokenType>
        <wst:RequestedSecruityToken>....</wst:RequestedSecruityToken>
        <wst:Entropy><wst:BinarySecret>12345678</wst:BinarySecret></wst:Entropy>
        <wst:Lifetime><wsu:Expires>2012-02-01T00:00:00</wsu:Expires></wst:Lifetime>
      </wst:RequestSecurityTokenResponse>
    </PlasmaToken>
  </PlasmaTokens>
</PlasmaResponse>

Appendix D. Example: Get CMS Token Request

This section contains an example of a request from a client to a server for a CMS message token to be issued. The authentication for the request is provided by using a WS-Trust token previously issued as part of a role request/response dialog. The request contains the following elements:

<?xml version="1.0" encoding="UTF-8"?>
<PlasmaRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="urn:ietf:schema:plasma:1.0 C:\ietf\drafts\Schema\Plasma.xsd" 
    xmlns="urn:ietf:schema:plasma:1.0"
    xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
  <Authentication>
    <WS_Token>123456</WS_Token>
  </Authentication>
  <xacml:Request CombinedDecision="false" ReturnPolicyIdList="false">
    <xacml:Attributes Category="urn:oasis:names:tc:xaml:3.0:attribute-catagory:action">
      <xacml:Attribute IncludeInResult="false" AttributeId="urn:plasma:action-id">
        <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GetCMSToken</xacml:AttributeValue>
      </xacml:Attribute>
    </xacml:Attributes>
    <xacml:Attributes Category="urn:ietf:plasma:attribute-category:data">
      <xacml:Attribute AttributeId="urn:plasma:data-id" IncludeInResult="false">
        <xacml:AttributeValue DataType="xml">
          <MessageTokenRequest>
            <Label CombiningRule="or">
              <Leaf Label="urn:example:policies:confidential"/>
              <Leaf Label="urn:example:policies:plasma"/>
            </Label>
            <RecipientInfo>
              <Subject type="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">
                lisa@simpsons.com
              </Subject>
              <LockBox>FF33eeddccaa002234</LockBox>
            </RecipientInfo>
            <KEK>AB123456</KEK>
          </MessageTokenRequest>
        </xacml:AttributeValue>
      </xacml:Attribute>
    </xacml:Attributes>
  </xacml:Request>
</PlasmaRequest>

Appendix E. Example: Get CMS Token Response

This section contains an example of a response from a server to a client for a CMS message token to be issued. The token is returned in the CMSToken element. This element would then be placed into the CMS message being created by the client.

<?xml version="1.0" encoding="UTF-8"?>
<PlasmaResponse xmlns="urn:ietf:schema:plasma:1.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xsi:schemaLocation="urn:ietf:schema:plasma:1.0 C:\ietf\drafts\Schema\Plasma.xsd" 
  xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
  <xacml:Response>
    <xacml:Result>
      <xacml:Decision>Permit</xacml:Decision>
    </xacml:Result>
  </xacml:Response>
  <CMSToken>3425342352343243</CMSToken>
</PlasmaResponse>

Appendix F. Example: Get CMS Key Request

<?xml version="1.0" encoding="UTF-8"?>
<PlasmaRequest xmlns="urn:ietf:schema:plasma:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xsi:schemaLocation="urn:ietf:schema:plasma:1.0 C:\ietf\drafts\Schema\Plasma.xsd"
  xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
  <Authentication>
    <SAML_Collection>....</SAML_Collection>
  </Authentication>
  <xacml:Request CombinedDecision="false" ReturnPolicyIdList="false">
    <xacml:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-catagory:action">
      <xacml:Attribute AttributeId="urn:plasma:action-id" IncludeInResult="false">
        <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ParseCMSToken</xacml:AttributeValue>
      </xacml:Attribute>
      <xacml:Attribute AttributeId="urn:plasma:action-id" IncludeInResult="false">
        <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GetReplyToken</xacml:AttributeValue>
      </xacml:Attribute>
    </xacml:Attributes>
    <xacml:Attributes Category="urn:ietf:plasma:attribute-category:data">
      <xacml:Attribute AttributeId="urn:plasma:data-id" IncludeInResult="false">
        <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#hexBinary">AABBDDEEFF1122344</xacml:AttributeValue>
      </xacml:Attribute>
    </xacml:Attributes>
  </xacml:Request>
</PlasmaRequest>

Appendix G. Example: Get CMS KeyResponse

<?xml version="1.0" encoding="UTF-8"?>
<PlasmaResponse xmlns="urn:ietf:schema:plasma:1.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xsi:schemaLocation="urn:ietf:schema:plasma:1.0 C:\ietf\drafts\Schema\Plasma.xsd" 
  xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
   xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" 
   xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <xacml:Response>
    <xacml:Result>
      <xacml:Decision>Permit</xacml:Decision>
    </xacml:Result>
  </xacml:Response>
  <CMSKey>
    <DisplayString>Company Confidential</DisplayString>
    <KEK>3425342352343243</KEK>
    <PlasmaToken>
      <PDP>https://pdp.example.com/companyPolicies</PDP>
      <Label CombiningRule="or">
        <Leaf Label="urn:example:policies:confidential"/>
        <Leaf Label="urn:example:policies:plasma"/>
      </Label>
      <wst:RequestSecurityTokenResponse>
        <wst:TokenType>urn:plasma:roleToken</wst:TokenType>
        <wst:RequestedSecurityToken>....</wst:RequestedSecurityToken>
        <wst:Lifetime><wsu:Expires>2012-02-01T00:00:00</wsu:Expires></wst:Lifetime>
      </wst:RequestSecurityTokenResponse>
    </PlasmaToken>
  </CMSKey>
</PlasmaResponse>

Appendix H. Enabling the MultiRequests option

NOTE: RFC Editor please remove this section prior to publication. This section exists as a note to the author to make sure that it can be done. It will be published as a separate document if desired.

One of the issues in doing multiple requests in a single message is the issue of correlation between the request and the results. We have make this issue even worse by the fact that we are return results that are not input attributes for the decision and that we are not returning as attributes of the decision.

The best way to deal with this is by putting tags into the request and reflect them in the return values for the response. The only place that this does not work is for the GSS-API response token as this element would normally be part of the response of multiple requests. You want to finish that authentication step before issuing final decisions if the input is needed as part of that decision.

With this in mind what we do is the following:

We could probably relax the restrictions if we know that the token can only be returned by one request, however using the token to correlate the request and the decision is still probably desired so that those values can be correlated.

Author's Address

Jim Schaad Soaring Hawk Consulting EMail: ietf@augustcellars.com