Re: [ekmi] SKSML Spec changes uploaded for your review

[Tomas Gustavsson <tomas@primekey.se>]

Anil,
You are right. It is consistent with the XML in the spec to say that XML 
encryption is used (the symmKey is encrypted in the XML). XML digital 
signatures is not used in the spec though, but is only used in the SOAP 
or W3C bindings.

Is that not right?

Is it also not appropriate to remove the "SOAP Body", "SOAP Envelope", 
"SOAP Error" and "SOAP Header" from the glossary. They should now belong 
in the SOAP WSS binding document. Which is supposed to be a separate 
document right?

Regards,
Tomas


On 08/16/2010 07:49 PM, Anil Saldhana wrote:
> Tomas,
> the message payload still needs to be secured (non-repudiation,
> integrity, confidentiality) . Either XML Signature or encryption or both
> can be used. If there is a need for transport level security, that can
> be used. But I feel seeing the key in an unsecured manner makes me feel
> uncomfortable. :)
>
> At a bare minimum, xml encryption needs to be used for the key. Outside
> of that, either xmldsig or mutual tls can be used.
>
> Open to further discussion.
>
> Regards,
> Anil
>
> On 08/16/2010 12:41 PM, Tomas Gustavsson wrote:
>>
>> Hi,
>>
>> Anil, I have one question about the changes.
>>
>> The change to:
>> -----
>> SKSML relies on XML Signature and XML Encryption. Relying only the on
>> the WSS profile
>> that uses RSA cryptographic key-pairs and digital certificates, SKSML
>> uses the digital
>> signatures for authenticity and message-integrity, while using
>> RSA-encryption for
>> confidentiality;
>> -----
>>
>> I interpret the change as that we want to decouple the SKSML messages,
>> which in itself are not signed and encrypted, but instead rely on
>> signature and encryption features of the transport (SOAP in the old
>> case).
>> If an email or rest type protocol is used instead of SOAP, could we
>> not depend on the transport security (TLS client cert authentication
>> for example) instead of XML signatures and encryption. Would it not
>> then be better to simply say "digital signatures and encryption"
>>
>> Regards,
>> Tomas
>>
>>
>> On 08/16/2010 06:30 PM, Anil Saldhana wrote:
>>> Tomas,
>>> we have a meeting tomorrow. I must have read the calendar wrong. 17th it
>>> is.
>>>
>>> Regards,
>>> Anil
>>>
>>> On 08/16/2010 10:08 AM, Tomas Gustavsson wrote:
>>>>
>>>> Did we move the meeting to 17th? It says so in the calendar, but it
>>>> says 16th below.
>>>>
>>>> Cheers,
>>>> Tomas
>>>>
>>>>
>>>> On 08/06/2010 12:25 AM, Anil Saldhana wrote:
>>>>> Hi all,
>>>>> for our August 16th meeting, it is important that you review and
>>>>> provide
>>>>> feedback for the spec changes. We can then vote for the spec to be
>>>>> sent
>>>>> for the 15 day public review.
>>>>>
>>>>> Spec:
>>>>> http://www.oasis-open.org/committees/document.php?document_id=38898
>>>>>
>>>>> Description of changes made:
>>>>> http://www.oasis-open.org/committees/document.php?document_id=38899
>>>>>
>>>>> Schema Files:
>>>>> http://www.oasis-open.org/apps/org/workgroup/ekmi/download.php/38900/sksml-schema.zip
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>> Anil
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php