[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx] security policy help for example C.3.2
Frederick, I've looked into this and believe that the presence of a reference to the RecipientToken in the message signature in the example in C.3.2 is erroneous and should be removed. (line 3346 in[1]) Similarly the presence of a reference to the InitiatorToken in the message signature in the example in C.3.3 is erroneous and should be removed. (line 3502 in [1]) The reason for these changes is that [Token Protection] protects the token that created the signature, not all tokens in a message. In addition, I noticed that the sentence at line 3418-3420 in Section C.3.3 of[1] that currently reads; If [Token Protection] is 'true' and the [Initiator Token] is specified, then the signature MUST also cover the [Initiator Token]. should read; If [Token Protection] is 'true' then the signature MUST also cover the [Recipient Token]. Cheers Gudge [1] http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/18837/ws -securitypolicy-1.2-spec-ed-01-r07.pd > -----Original Message----- > From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com] > Sent: 07 July 2006 22:48 > To: ws-sx@lists.oasis-open.org > Cc: Hirsch Frederick > Subject: [ws-sx] security policy help for example C.3.2 > > ws-securitypolicy-1.2-spec-ed-01-r07-diff > > <http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/ > 18836/ws-securitypolicy-1.2-spec-ed-01-r07-diff.doc> > > I need help understanding the message example in C3.2 which I > believe > is supposed to correspond to the policy in C3.1 > > Specifically I do not understand what policy element directed that > RecipientToken be included with a ds:Reference in the message > signature. > > To reiterate: > Timestamp is always included, due to binding rules. > SomeUsernameToken and SomeSupportingToken are included since any > Signed?SupportingToken includes the token in the message > reference list. > InitiatorToken is included due to the ProtectTokens policy, which > says that the token associated with the key used to generate the > signature should be included as a reference. > Header1, Header2 and Body are included since they are listed in > SignedParts. > > Which policy directive causes RecipientToken to be included? > > If it is ProtectTokens then I need to raise an issue since the text > isn't clear. If it isn't then why is RecipientToken in the > ds:References list? > > regards, Frederick > > Frederick Hirsch > Nokia > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]