3.4 Interaction with WS-Trust X.509v3 Token Enrollment
This section describes the fifth phase in MDE2 device enrollment: interacting with the WS-Trust X.509v3 Token Enrollment Extensions [MS-WSTEP] to complete enrollment. The following diagram highlights this final phase.
Figure 12: MDE device enrollment: completing enrollment
The WS-Trust X509v3 Enrollment Extensions [MS-WSTEP] are extensions of WS-Trust Security 2004 [WSS] that are used by a system to request that a certificate be issued. MDE2 implements an extension profile of the extensions defined in [MS-WSTEP], to enable a device to be enrolled and receive an identity. The following sections specify the details of the MDE2 profile of and extensions defined in [MS-WSTEP].
The WS-Trust X509v3 Enrollment Extensions [MS-WSTEP] use the authentication provisions in WS-Security 2004 [WSS] to enable the X509v3 security token issuer to authenticate the X509v3 security token requestor. This section defines the schema used to express the credential descriptor for each supported credential type. The security token credential is provided in a request message using the <wsse:BinarySecurityToken> element [WSS]. The security token is retrieved as specified in section 3.2. The authentication information is as follows:
wsse:BinarySecurityToken: MDE implements the <wsse:BinarySecurityToken> element defined in [WSS] section 6.3. The <wsse:BinarySecurityToken> element MUST be included as a child of the <wsse:Security> element in the SOAP header.
As was specified in section 3.2, inclusion of the <wsse:BinarySecurityToken> element is opaque to the enrollment client and is agreed upon by the STS, as identified in the DS <AuthenticationServiceUrl> element of <DiscoveryResponse> (section 220.127.116.11.3.2) and the ES.
The <wsse:BinarySecurityToken> element contains a base64-encoded security token. The enrollment client uses the security token received from the STS to populate the <wsse:BinarySecurityToken> element.
<wsse:BinarySecurityToken> ValueType attribute MUST be
<wsse:BinarySecurityToken> EncodingType attribute MUST be