[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ebxml-msg] Schema problem with encryption in the AS4 draft
Hello Theo, Two comments: 1) I think we should simplify this and say that the eb:Messaging header should never be encrypted. A capability to selectively encrypt parts of a message header seems neither simple to implement nor something that would rank highly (if at all) on a list of required features for the market we want to address with AS4. If confidentiality is important peer-to-peer (no intermediaries), transport security could and usually is used. If confidentiality is important end-to-end (across intermediaries), then simple guidelines (e.g. don't use the credit card number of your customer as the ConversationId of a message) and proper access controls, audits etc. of the intermediaries in practice cover virtually all remaining cases. 2) The eb:Messaging element already has an optional "id" attribute of type xsd:ID. At least one XML schema engine does not allow a wsu:Id to be added to eb:Messaging even if that "id" attribute is not present: cvc-complex-type.5.2: In element 'eb3:Messaging', attribute 'Id' is a Wild ID. But there is already an attribute 'id' derived from ID among the {attribute uses}. Now the WS-I BSP says to use "wsu:Id" preferentially (SHOULD), this still allows the use of the "id" attribute. So my assumption was that the header should be identified using the "id" attribute to make sure the header is schema valid. Does your WS-Security processor support this? The SOAP Body element would be identified using a wsu:Id. I agree we want to allow schema validation for the full SOAP header. Pim -----Original Message----- From: Theo Kramer [mailto:theo@flame.co.za] Sent: 17 May 2011 11:08 To: ebxml-msg@lists.oasis-open.org Subject: [ebxml-msg] Schema problem with encryption in the AS4 draft I have received the following from Mike O'Connell (senior developer) involved in implementing our AS4 light client and adapting our MSH for AS4 support. The server has strict XML Schema validation ON and this has raised a question (and a number of exceptions): The WSS 1.1 spec allows for arbitrary XML elements to be encrypted and signed however the ebMS schema ('ebms-header-3_0-200704.xsd') does not. The only element that allows for insertion of the 'wsu:id' attribute is 'eb:Messaging' since it has the 'headerExtension' attribute (which allows for 'xsd:anyAttribute'), 'wsu:id' is the ID reference used when applying WSS1.1 security to arbitrary elements. Now - I cannot encrypt the entire 'eb:Messaging' element because of the following from AS4-profile draft and in reference to ebMS v3.0, Section 7.4: AS4 MSH implementations are(sic) SHALL NOT encrypt the eb:PartyInfo section of the eb:Messaging header. Other child elements of the eb:Messaging header MAY be encrypted or left unencrypted as defined by trading partner agreements or collaboration profiles. The only way to bypass this issue is to turn XML Schema validation OFF, which defeats the whole purpose of XML Schema in the first place. Your comments/input on this appreciated... -- Regards Theo ------------------------------------------------------------ --------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_work groups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]