OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [ws-sx] RE: Issue 90: Description of Strict Formatting seems wrong for EncryptedKey


Martin Gudgin wrote:

> I believe that you are correct that 6.7.1 clause 4 is incorrect when
> applied generally to asymmetric bindings. The easiest fix is probably
to
> remove the words 'top level' from line 1503 of [1].

I think it would be clearer to change clause 4 to say:

4. If there are any encrypted elements in the message then a top level
xenc:ReferenceList element or a top level xenc:EncryptedKey element
which contains a xenc:ReferenceList element MUST be present in the
security header. The xenc:ReferenceList or xenc:EncryptedKey MUST occur
before any xenc:EncryptedData elements in the security header that are
referenced from the reference list. However, the xenc:ReferenceList or
xenc:EncryptedKey is not required to appear before independently
encrypted tokens such as the xenc:EncryptedKey token as defined in WSS.


> 
> Did you also look at Appendix C.3 (which I think is more detailed than
> 6.7.1 and applies directly to the Asymmetric Binding)?

In general I think it is poor practice to expect the reader to deduce
processing rules from examples, which necessarily must show only a
single instance. 

As I mentioned on a previous call, I think it would be useful to have
some shorter, simpler examples. The current "kitchen sink" examples have
so many moving parts it is hard to see what bit of policy drives what
part of the message.

An alternative (but I admit it would be a lot of work) would be to
annotate every few lines of the message to indicate exactly which lines
in the policies were responsible for causing them to be included.

Hal

> 
> Regards
> 
> Gudge
> 
> [1]
>
http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/18836/ws
> -securitypolicy-1.2-spec-ed-01-r07-diff.doc
> 
> > -----Original Message-----
> > From: Hal Lockhart [mailto:hlockhar@bea.com]
> > Sent: 18 July 2006 15:18
> > To: Marc Goodner; ws-sx@lists.oasis-open.org
> > Subject: [ws-sx] RE: Issue 90: Description of Strict
> > Formatting seems wrong for EncryptedKey
> >
> > As I mentioned on the last call, the WS-I Basic Security Profile was
> > written assuming that either a ReferenceList or an EncryptedKey
would
> > appear at the top level for each encryption step, but not both. See
> > especially section 6.1 and section 10 of that document.
> >
> > http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html
> >
> > Hal
> >
> > > -----Original Message-----
> > > From: Marc Goodner [mailto:mgoodner@microsoft.com]
> > > Sent: Tuesday, July 11, 2006 1:59 PM
> > > To: Hal Lockhart; ws-sx@lists.oasis-open.org
> > > Subject: Issue 90: Description of Strict Formatting seems wrong
for
> > > EncryptedKey
> > >
> > > Issue 90.
> > >
> > > -----Original Message-----
> > > From: Hal Lockhart [mailto:hlockhar@bea.com]
> > > Sent: Tuesday, July 11, 2006 7:59 AM
> > > To: ws-sx@lists.oasis-open.org
> > > Cc: Marc Goodner
> > > Subject: NEW Issue: Description of Strict Formatting seems wrong
for
> > > EncryptedKey
> > >
> > > PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON
> > THREAD UNTIL
> > > THE ISSUE IS ASSIGNED A NUMBER.
> > > The issues coordinators will notify the list when that has
occurred.
> > >
> > > Protocol: ws-sp
> > >
> > >
> > http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.ph
> > p/18837/ws
> > > -securitypolicy-1.2-spec-ed-01-r07.pdf
> > >
> > > Artifact:  spec
> > >
> > > Type:
> > >
> > > design
> > >
> > > Title:
> > >
> > > Rules for strict format of security element seem incorrect
> > in the case
> > > of encrypted key used with Asymmetric Key. It is my
> > understanding that
> > > for every encryption, there will either be a ReferenceList (for
> > > Symmetric) or an EncryptedKey (for Asymmetric). However, the rules
> > seem
> > > to require a tope level ReferenceList even when an EncryptedKey is
> > > present. This causes implementation problems, especially
> > for WSS 1.0.
> > >
> > > Description:
> > >
> > > Section 6.7.1 (lines 1528-1536) say:
> > >
> > > ----
> > > 4.	If there are any encrypted elements in the message then
a top
> > > level xenc:ReferenceList element MUST be present in the security
> > header.
> > > The xenc:ReferenceList MUST occur before any xenc:EncryptedData
> > elements
> > > in the security header that are referenced from the reference
list.
> > > However, the xenc:ReferenceList is not required to appear before
> > > independently encrypted tokens such as the
> > xenc:EncryptedKey token as
> > > defined in WSS.
> > > 5.	An xenc:EncryptedKey element without an internal
reference
> list
> > > [WSS: SOAP Message Security 1.1] MUST obey rule (1).  An
> > > xenc:EncryptedKey element with an internal reference list MUST
> > > additionally obey rule (4).
> > > ----
> > >
> > > But my understanding is that you use either an EncryptedKey or a
> > > ReferenceList, but not both. If this is not a simple error, but
> > > intentional, I will provide information about implementation
> > > difficulties.
> > >
> > >
> > > Related issues:
> > >
> > >
> > >
> > > Proposed Resolution:
> > >
> > > Change #4 to say ReferenceList or Encrypted Key.
> > >
> > > Hal
> >
> >

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]