RE: Error Response for signature Validation failure

["Damodaran, Suresh" <Suresh_Damodaran@stercomm.com>]

Unfortunately, MSG discourages use of other errorCodes
than those defined in the spec (Sec 8.8.3.1 second para
"Use of non-ebXML values for errorCodes is NOT RECOMMENDED.
In addition, an implementation of this specification MUST NOT
use its own errorCodes if an existing errorCode as defined
in this section has the same or very similar meaning.")
This limits us to use the errorCode "SecurityFailure" that 
maps to "Validation of signatures ... failed."
Farrukh, you might be seeing something that I am not,
in which case, please let me know.
As for SOAP Fault, not sure what other bindings you are
thinking about (not using SOAP at all?) I don't like
using SOAP Fault from a design point of view, rather
would like to have it in the MSG layer. I would like
to understand where you are coming from.

Cheers,
-Suresh

-----Original Message-----
From: Farrukh Najmi [mailto:Farrukh.Najmi@sun.com]
Sent: Monday, September 24, 2001 11:03 AM
To: Damodaran, Suresh
Cc: 'Sekhar.Vajjhala@Sun.COM'; regrep-security@lists.oasis-open.org
Subject: Re: Error Response for signature Validation failure


We should avoid use of SOAP Fault as we may have bindings other than SOAP.

I suggest we use a RegistryError response with an errorCode =
"SignatureValidationError".

---------------Snipet from Registry.xsd schema file relevant to above
suggestion-----------------

 <element name = "RegistryError">
  <complexType>
   <simpleContent>
    <extension base = "string">
     <attribute name = "codeContext" use = "required" type = "string"/>
     <attribute name = "errorCode" use = "required" type = "string"/>
     <attribute name = "severity" use = "optional" type =
"tns:ErrorType"/>
     <attribute name = "location" type = "string"/>
    </extension>
   </simpleContent>
  </complexType>
 </element>
 <element name = "RegistryResponse">
  <complexType>
   <sequence>
    <choice minOccurs = "0">
     <element ref = "tns:AdhocQueryResponse"/>
     <element ref = "tns:GetContentResponse"/>
     <element ref = "tns:GetClassificationTreeResponse"/>
     <element ref = "tns:GetClassifiedObjectsResponse"/>
     <element ref = "tns:GetRootClassificationNodesResponse"/>
    </choice>
    <element ref = "tns:RegistryErrorList" minOccurs = "0"/>
   </sequence>
   <attribute name = "status" use = "required">
    <simpleType>
     <restriction base = "NMTOKEN">
      <enumeration value = "success"/>
      <enumeration value = "failure"/>
     </restriction>
    </simpleType>
   </attribute>
  </complexType>
 </element>


"Damodaran, Suresh" wrote:

> Sekhar,
>
> Good point. ebXML MSG already has an error code
> for Signature failure - see TRP 1.0 section 8.8.5.2
> "SecurityFailure." Were you asking whether we need
> more application level semantic added to the error
> message? I am not sure how best to do this with MSG.
> For V2.0, perhaps we can limit to simply specifying
> that the specifed error would be flagged, and assume
> error handling is done by MSG?
>
> Yet another option is to use SOAP Fault. This will work
> even if we do not use MSG. Something to look at later.
>
> Regards,
> -Suresh
>
> -----Original Message-----
> From: sekhar vajjhala [mailto:sekhar.vajjhala@Sun.COM]
> Sent: Thursday, September 20, 2001 3:52 PM
> To: regrep-security@lists.oasis-open.org
> Subject: Error Response for signature Validation failure
>
> One thing I did not specify in the usage of XML DSIG for Registry,
> is what happens if there is a signature validation failure .
>
> Specifically, the behaviour needs to be specified for the case
> where the Registry's validation of the Registry Client's signature
> fails. In this case the Registry would have to return and ebXML error
> message.
>
> But should there be a more detailed error code ? In Version 1.0 of the
> Registry Spec, the DTD at the end seems to be indicate that
> an error code from ebMS (ebXML Message Service) specification would
> be returned.
>
> --
> Sekhar
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>

--
Regards,
Farrukh