[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [ebxml-msg] FW: [wss] FW: ebXML's requirements for xmldsig used formultipart SOAP .
Here is a first respone (from Rich Salz) concerning the ebXML signature requirements and how to do it in WSS. I will also attach the message I sent to WSS for reference. About what I expected so far. Dale -----Original Message----- From: Rich Salz [mailto:rsalz@datapower.com] Sent: Friday, February 14, 2003 10:05 AM To: Dale Moberg Cc: wss@lists.oasis-open.org Subject: Re: [wss] FW: ebXML's requirements for xmldsig used for multipart SOAP . Hi Dale, Note that SOAP (at least 1.2) makes some of those things difficult. For example, the soap mustUnderstand attribute can be 0/1/true/false and changed along the way, whitespace can appear between header elements, etc. Look at the thread [1] for a plan to address this. For now, unfortunately, I think you have to write your own XSLT transform that takes those things into account, as well as header variation. /r$ [1] http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2003JanMar/0023.htm l
--- Begin Message ---
- From: "Dale Moberg" <dmoberg@cyclonecommerce.com>
- To: <wss@lists.oasis-open.org>
- Date: Thu, 13 Feb 2003 10:14:53 -0700
Hi, I posed the issue below to Chris K. and Ajamu at a recent WS-I Security meeting. Some of us are interested in wss feedback on how to do an xmldsig signature meeting the requirements described below. These requirements were compiled during the ebXML initiative. Ajamu suggested the wss list members could provide us with some feedback also. So I am forwarding to the list. Thanks Dale Moberg -----Original Message----- From: Ajamu Wesley [mailto:awesley@us.ibm.com] Sent: Tuesday, February 11, 2003 11:35 AM To: Dale Moberg Cc: Chris Kaler Subject: Re: ebXML's requirements for xmldsig used for multipart SOAP . Dale, This are good requirements. I will keep them in mind, but would recommend that you submit these to the mailing list as well. This will allow the working group members to provide feedback. Thanks. -- Ajamu ++++++++ Ajamu Wesley awesley@us.ibm.com (919) 254-2195 (T/L 444) Web Services Technologist Emerging Internet Technologies ++++++++ "Dale Moberg" <dmoberg@cyclonecommerce.com> on 02/10/2003 01:09:47 PM To: Ajamu Wesley/Raleigh/IBM@IBMUS cc: "Chris Kaler" <ckaler@microsoft.com> Subject: ebXML's requirements for xmldsig used for multipart SOAP . So far no one on ebXML Messaging has added anything to this description of requirements, so I am forwarding it off to you. I am interested in how a WSS xmldsig wss-profiled signature accomplishes this signing, as I mentioned to you at the face to face. [Possibly we can relax some requirement, so if you can get close please outline the wss/xmldsig approach we can take.] Thanks, Dale Moberg Given that SOAP allows intermediaries to add elements at least to the SOAP:Header EII (element information item)and given SOAP requires intermediaries to remove targeted modules/header blocks in accordance with SOAP processing semantics, ebXML wanted to make certain that the ultimate SOAP node only received what the initial soap node had sent and had targeted for the ultimate node, and not anything intermediaries targeted to the ultimate node. In addition, ebXML messaging wanted an XMLDsig signature such that: 1. Signing is over a multipart/related, where there is a SOAP:envelope in the first bodypart, and some XML (or even nonXML) in some other bodypart. While more than one bodypart is permitted, signatures may be over the first part and any selection of the other bodyparts. [CID URI resolvers are added for this.] 2. SOAP header blocks targeted to intermediaries are not to be included in the original signature. 3. The original SOAP signatures are signed over. Other SOAP signatures may be added, and the original signature must not break. 4. Any addition to an originally signed over bodypart [other than a signature or a routing record] must be detectable in the sense that the signature will not verify. 5. Any deletion from the original bodyparts, other than targeted header blocks for intermediaries, must break the signature. 6. Any addition of ultimate soap node header blocks by intermediaries must break the signature. ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>--- End Message ---
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC