[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Error Response for signature Validation failure
Unfortunately, MSG discourages use of other errorCodes than those defined in the spec (Sec 8.8.3.1 second para "Use of non-ebXML values for errorCodes is NOT RECOMMENDED. In addition, an implementation of this specification MUST NOT use its own errorCodes if an existing errorCode as defined in this section has the same or very similar meaning.") This limits us to use the errorCode "SecurityFailure" that maps to "Validation of signatures ... failed." Farrukh, you might be seeing something that I am not, in which case, please let me know. As for SOAP Fault, not sure what other bindings you are thinking about (not using SOAP at all?) I don't like using SOAP Fault from a design point of view, rather would like to have it in the MSG layer. I would like to understand where you are coming from. Cheers, -Suresh -----Original Message----- From: Farrukh Najmi [mailto:Farrukh.Najmi@sun.com] Sent: Monday, September 24, 2001 11:03 AM To: Damodaran, Suresh Cc: 'Sekhar.Vajjhala@Sun.COM'; regrep-security@lists.oasis-open.org Subject: Re: Error Response for signature Validation failure We should avoid use of SOAP Fault as we may have bindings other than SOAP. I suggest we use a RegistryError response with an errorCode = "SignatureValidationError". ---------------Snipet from Registry.xsd schema file relevant to above suggestion----------------- <element name = "RegistryError"> <complexType> <simpleContent> <extension base = "string"> <attribute name = "codeContext" use = "required" type = "string"/> <attribute name = "errorCode" use = "required" type = "string"/> <attribute name = "severity" use = "optional" type = "tns:ErrorType"/> <attribute name = "location" type = "string"/> </extension> </simpleContent> </complexType> </element> <element name = "RegistryResponse"> <complexType> <sequence> <choice minOccurs = "0"> <element ref = "tns:AdhocQueryResponse"/> <element ref = "tns:GetContentResponse"/> <element ref = "tns:GetClassificationTreeResponse"/> <element ref = "tns:GetClassifiedObjectsResponse"/> <element ref = "tns:GetRootClassificationNodesResponse"/> </choice> <element ref = "tns:RegistryErrorList" minOccurs = "0"/> </sequence> <attribute name = "status" use = "required"> <simpleType> <restriction base = "NMTOKEN"> <enumeration value = "success"/> <enumeration value = "failure"/> </restriction> </simpleType> </attribute> </complexType> </element> "Damodaran, Suresh" wrote: > Sekhar, > > Good point. ebXML MSG already has an error code > for Signature failure - see TRP 1.0 section 8.8.5.2 > "SecurityFailure." Were you asking whether we need > more application level semantic added to the error > message? I am not sure how best to do this with MSG. > For V2.0, perhaps we can limit to simply specifying > that the specifed error would be flagged, and assume > error handling is done by MSG? > > Yet another option is to use SOAP Fault. This will work > even if we do not use MSG. Something to look at later. > > Regards, > -Suresh > > -----Original Message----- > From: sekhar vajjhala [mailto:sekhar.vajjhala@Sun.COM] > Sent: Thursday, September 20, 2001 3:52 PM > To: regrep-security@lists.oasis-open.org > Subject: Error Response for signature Validation failure > > One thing I did not specify in the usage of XML DSIG for Registry, > is what happens if there is a signature validation failure . > > Specifically, the behaviour needs to be specified for the case > where the Registry's validation of the Registry Client's signature > fails. In this case the Registry would have to return and ebXML error > message. > > But should there be a more detailed error code ? In Version 1.0 of the > Registry Spec, the DTD at the end seems to be indicate that > an error code from ebMS (ebXML Message Service) specification would > be returned. > > -- > Sekhar > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> -- Regards, Farrukh
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC