DDS-SECURITY 1.3b1 RTF Avatar
  1. OMG Issue

DDSSEC13 — Support dynamic certificates and permissions

  • Key: DDSSEC13-90
  • Status: open  
  • Source: Real-Time Innovations ( Dr. Gerardo Pardo-Castellote, Ph.D.)
  • Summary:

    Update the class id minor version in all tokens

    From 1.2 to 1.3.

    Fix the class ids for several of the secuerity tokens

    The class_id attribute in various Tokens includes the Plugin Name and a version number. The intention was that the version number would track the specification version so that it could be used to understand the format of the Token. However, this is not done consistently. Furthermore, when there are multiple tokens with the same class id, they are differentiated by appending the '+' character and a suffix. This is not done in all cases.

    We will fix the following irregularities:

    Token Old value New value
    AuthenticatedPeerCredentialToken DDS:Auth:PKI-DH:1.0 DDS:Auth:PKI-DH:1.3+AuthPeerCred
    IdentityStatusToken DDS:Auth:PKI-DH:1.0 DDS:Auth:PKI-DH:1.3+IdStatus
    PermissionsCredentialToken DDS:Access:PermissionsCredential DDS:Access:Permissions:1.3+Cred
    CryptoToken DDS:Crypto:AES_GCM_GMAC DDS:Crypto:AES_GCM_GMAC:1.2

    Add the IdentityCredentialToken type

    The class_id for the token will be DDS:Auth:PKI-DH:1.3+IdCred.

    Fix the PermissionsCredentialToken property name

    From dds.pem.cert to c.perm.

    Changes to the Governance Document

    Add the <identity_credential_authority_validation> xml complex optional type with two <ocsp> and <crl> optional elements. Their possible values are AUTO, REQUIRED, and IGNORED.

    New authentication property for configuring the OCSP responder

    Added the dds.sec.auth.ocsp_responder_uri property

    Changes to the Security Plugins Interface

    Authentication plugin

    • get_identity_credential_token
    • return_identity_credential_token
    • set_remote_identity_credential_token
    • set_remote_identity_status_token
    • set_property_qos
    • validate_status

    Access Control plugin

    • set_remote_permissions_credential_token
    • set_property_qos
    • validate_status

    Cryptography plugin

    • set_property_qos

    Changes to the listener classes

    • on_status_changed operation for the AccessControlListener interface
    • Add the AccessControlStatusKind enum with PERMISSIONS_CREDENTIAL as the only value currently possible.
    • Modify the AuthStatusKind enum kind so that besides the current IDENTITY_STATUS value, it also supports IDENTITY_CREDENTIAL, IDENTITY_VALIDATION_CONTEXT, and ALL.
  • Reported: DDS-SECURITY 1.2 — Mon, 2 Jun 2025 16:53 GMT
  • Updated: Wed, 11 Jun 2025 22:40 GMT