Re: [regrep] Alignment with Web Services Security

["David RR Webber" <david@drrw.info>]

Farrukh,

Surely if people are looking to sign content - the ebMS interface
already provides all that functionality - no need to re-invent the
wheel here.

DW.

----- Original Message ----- 
From: "Farrukh Najmi" <Farrukh.Najmi@Sun.COM>
To: "Chiusano Joseph" <chiusano_joseph@bah.com>
Cc: <regrep@lists.oasis-open.org>
Sent: Wednesday, March 10, 2004 9:20 AM
Subject: Re: [regrep] Alignment with Web Services Security


> Chiusano Joseph wrote:
>
> >Thanks Farrukh. Could you please elaborate more concretely as to how
> >this would affect any use of WSS with our Registry specs? On the surface
> >I'm not seeing the connection...
> >
> >IOW, how would wsu:Id be used within a WSS Security SOAP header to refer
> >to an entity that is registered within an ebXML Registry? I see it
> >referring to security tokens - are you leaving open the possibility that
> >the Registry could serve as a certificate store, perhaps?
> >
> >
> Thanks Joe. You are correct that in many cases the use of wsu:Id would
> be limited
> to referencing security tokens and there is no concern in such cases
> since registry
> objects and their ids are not involved.
>
> But as I understand things, that is not all that is possible....
>
> The "Web Services Security: SOAP Message Security 1.0" spec at line 375
> states:
>
> "There are many situations where elements within SOAP messages need to
> be referenced. For example, when signing a SOAP message, selected
> elements are included in the scope of the signature."
>
> I am assuming that if we specify which elements in our soap body are
> signed using their id then
> we would run into this problem. There may be other situations that we
> cannot see right now
> as well.
>
>
> >Joe
> >
> >Farrukh Najmi wrote:
> >
> >
> >>Chiusano Joseph wrote:
> >>
> >>
> >>
> >>>Here is some additional information on wsu:Id which may or may not
> >>>change our perspective:
> >>>
> >>>- The wsu:Id attribute is defined so that recipients don't have to
> >>>understand the full schema of the message for processing of the
security
> >>>elements;
> >>>
> >>>- The wsu:Id attribute provides a well-known attribute for specifying
> >>>the *local ID* of an element - that is, the ID of an element within an
> >>>XML document;
> >>>
> >>>- The WSS SOAP Message Security specification does not specify how this
> >>>attribute will be used, and "it is expected that other specifications
> >>>MAY add additional semantics (or restrictions) for their usage of this
> >>>attribute."
> >>>
> >>>- There are multiple places in the WSS SOAP Message Security spec in
> >>>which the wsu:Id attribute is defined as a "string label" (ex: line
528)
> >>>rather than as type xsd:ID - not sure if a URI would be considered a
> >>>"string label";
> >>>
> >>>
> >>>
> >>>
> >>The bottom line is the definition:
> >>
> >> <xsd:attribute name="Id" type="xsd:ID">
> >>
> >>within http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-
> >>wss-wssecurity-utility-1.0.xsd
> >>
> >>which makes it quite unusable for us.
> >>
> >>A simple fix would be to change above to:
> >>
> >><xsd:attribute name="Id" type="xsd:string">
> >>
> >>That would addres my main concern with this spec.
> >>
> >>
> >>
> >>>Joe
> >>>
> >>>
> >>>Farrukh Najmi wrote:
> >>>
> >>>
> >>>
> >>>
> >>>>Team,
> >>>>
> >>>>The Web Services Security 1.0 specs are in OASIS member review for
> >>>>becoming an OASIS standard
> >>>>(see announcement below from earlier this month).
> >>>>
> >>>>I would like to propose that we consider the issue of whether we
should
> >>>>align V3 with the WSS
> >>>>specs.
> >>>>
> >>>>I have read the specs and have found one small but significant issue
for
> >>>>its use by us.
> >>>>
> >>>>Section 4 of the The " Web Services Security: SOAP Message Security
1.0"
> >>>>spec
> >>>>specifies wsu:Id as an xsd:ID type. This prevents the possibility of
> >>>>using URI or UUID as an id.
> >>>>This is an unfortunate restriction because many systems (including
ebXML
> >>>>Registry) use urn:uuid based ids and also other
> >>>>URNs as ids.
> >>>>
> >>>>Recall that we ran into this exact situation in ebXML Registry specs
and
> >>>>decided to change the type of our id attribute
> >>>>to string from xsd:ID.
> >>>>
> >>>>This issue need to be addressed IMO by the WSS TC in order for us to
use
> >>>>the WSS specs.
> >>>>If it were addressed then I would be in favour of aliging with this
spec
> >>>>for ebXML Registry version 3.
> >>>>
> >>>>Thoughts.
> >>>>
> >>>>--
> >>>>Regards,
> >>>>Farrukh
> >>>>
> >>>>-------- Original Message --------
> >>>>
> >>>>Subject:        [OASIS members] WSS specification submitted for OASIS
Standard
> >>>>Date:   Mon, 01 Mar 2004 08:31:59 -0500
> >>>>From:   Karl F. Best <karl.best@oasis-open.org>
> >>>>Reply-To:       karl.best@oasis-open.org
> >>>>Organization:   OASIS
> >>>>To:     members@lists.oasis-open.org, tc-announce@lists.oasis-open.org
> >>>>
> >>>>OASIS members:
> >>>>
> >>>>The OASIS Web Services Security TC (WSS TC) has submitted the Web
> >>>>Services Security v1.0 specification, which is an approved Committee
> >>>>Draft, for review and consideration for approval by OASIS members to
> >>>>become an OASIS Standard. The TC's submission is attached below.
> >>>>
> >>>>In accordance with the OASIS Technical Process, the specification has
> >>>>already gone through a 30 day public review period. OASIS members now
> >>>>have 15 days to familiarize themselves with the submission. By the
16th
> >>>>of the month I will send out a Call For Vote to the voting
> >>>>representative of each OASIS member organization, who will have until
> >>>>the end of the month to cast their ballots on whether this Committee
> >>>>Draft should be approved as an OASIS Standard. OASIS members should
give
> >>>>their input on this question to the voting reps of their respective
> >>>>organizations.
> >>>>
> >>>>The normative TC Process for approval of Committee Drafts as OASIS
> >>>>Standards is found at
> >>>>http://www.oasis-open.org/committees/process.php#standard
> >>>>
> >>>>Please note that statements related to the IPR of this specification
are
> >>>>posted at http://www.oasis-open.org/committees/wss/ipr.php
> >>>>
> >>>>-Karl
> >>>>
> >>>>=================================================================
> >>>>Karl F. Best
> >>>>Vice President, OASIS
> >>>>office +1 978.667.5115 x206 mobile +1 978.761.1648
> >>>>karl.best@oasis-open.org http://www.oasis-open.org
> >>>>
> >>>>To unsubscribe from this mailing list (and be removed from the roster
of the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/regrep/members/leave_workgroup.php.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>To unsubscribe from this mailing list (and be removed from the roster
of the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/regrep/members/leave_workgroup.php.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>--
> >>Regards,
> >>Farrukh
> >>
> >>
> >
> >To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/regrep/members/leave_workgroup.php.
> >
> >
> >
>
>
> -- 
> Regards,
> Farrukh
>
>
>
> To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/regrep/members/leave_workgroup.php.
>
>