OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: REVISED Proposal: i016 sp:SignedParts mechanism

Revised Proposal:

Note: Line numbers are form the version @ 
http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/17050/ws-securitypolicy-1.2-spec-ed-01-r04.doc

Append the following text to the end of the section describing the 
/sp:SignedParts/sp:Header (lines 592-598):

"This assertion only applies to SOAP header elements targeted to the same 
actor/role as the Security header impacted by the policy. If it is 
necessary to specify a requirement to sign specific SOAP Header elements 
targeted to a different actor/role, that may be accomplished using the 
sp:SignedElements assertion."

Thanks,
Mike

Michael McIntosh/Watson/IBM@IBMUS wrote on 02/07/2006 09:40:10 AM:

> Description
> 
> Section 4.1.1 SignedParts provides a mechanism to specify which "parts" 
of 
> a message are required to be integrity protected. The current text 
> indicates that, for the sp:SignedParts element, "If no child elements 
are 
> specified, all message headers targeted at the UltimateReceiver role 
> [SOAP12] or actor [SOAP11] and the body of the message MUST be integrity 

> protected." However, it isn't clear whether sp:Header elements, when 
> specified, impact all matching header elements or only those targeted at 

> the UltimateReceiver. Also, there is currently no way to specify that a 
> header not targeted to UltimateReceiver must be signed.
> 
> Proposal
> 
> @ Line 575
> 
> Syntax
> <sp:SignedParts ... >
>    <sp:Body />?
>    <sp:Header Name="xs:NCName"? Namespace="xs:anyURI" Target="xs:anyURI" 

> ... />*
>    ...
> </sp:SignedParts>
> 
> @ Line 599
> 
> /sp:SignedParts/sp:Header/@Name
> This optional attribute indicates the local name of the SOAP header to 
be 
> integrity protected. If this attribute is not specified, all SOAP 
headers 
> whose namespace and target match the Namespace and Target attributes are 

> to be protected.
> 
> /sp:SignedParts/sp:Header/@Namespace
> This required attribute indicates the namespace of the SOAP header(s) to 

> be integrity protected.
> 
> /sp:SignedParts/sp:Header/@Target
> This optional attribute indicates the role [SOAP12] or actor [SOAP11] of 

> the SOAP header(s) to be integrity protected. If this attribute is not 
> specified, all SOAP headers targeted at the UltimateReceiver role 
[SOAP12] 
> or actor [SOAP11] whose namespace matches the Namespace attribute are to 

> be protected.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]