OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [ws-sx] security policy help for example C.3.2

Frederick,

I've looked into this and believe that the presence of a reference to
the RecipientToken in the message signature in the example in C.3.2 is
erroneous and should be removed. (line 3346 in[1])

Similarly the presence of a reference to the InitiatorToken in the
message signature in the example in C.3.3 is erroneous and should be
removed. (line 3502 in [1])

The reason for these changes is that [Token Protection] protects the
token that created the signature, not all tokens in a message.

In addition, I noticed that the sentence at line 3418-3420 in Section
C.3.3 of[1] that currently reads;

If [Token Protection] is 'true' and the [Initiator Token] is specified,
then the signature MUST also cover the [Initiator Token].

should read;

If [Token Protection] is 'true' then the signature MUST also cover the
[Recipient Token].

Cheers

Gudge

[1]
http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/18837/ws
-securitypolicy-1.2-spec-ed-01-r07.pd



> -----Original Message-----
> From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com] 
> Sent: 07 July 2006 22:48
> To: ws-sx@lists.oasis-open.org
> Cc: Hirsch Frederick
> Subject: [ws-sx] security policy help for example C.3.2
> 
> ws-securitypolicy-1.2-spec-ed-01-r07-diff
> 
> <http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/ 
> 18836/ws-securitypolicy-1.2-spec-ed-01-r07-diff.doc>
> 
> I need help understanding the message example in C3.2 which I 
> believe  
> is supposed to correspond to the policy in C3.1
> 
> Specifically I do not understand what policy element directed that  
> RecipientToken be included with a ds:Reference in the message 
> signature.
> 
> To reiterate:
> Timestamp is always included, due to binding rules.
> SomeUsernameToken and SomeSupportingToken are included since any  
> Signed?SupportingToken includes the token in the message 
> reference list.
> InitiatorToken is included due to the ProtectTokens policy, which  
> says that the token associated with the key used to generate the  
> signature should be included as a reference.
> Header1, Header2 and Body are included since they are listed in  
> SignedParts.
> 
> Which policy directive causes RecipientToken to be included?
> 
> If it is ProtectTokens then I need to raise an issue since the text  
> isn't clear. If it isn't then why is RecipientToken in the  
> ds:References list?
> 
> regards, Frederick
> 
> Frederick Hirsch
> Nokia
> 
> 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]