[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue 90: Summary of rationale for closing issue
The rationale I stated on today's call for closing issue 90 [1] related to strict security policy [2] is as follows: With WSS 1.1 it makes sense to require the ReferenceList outside the EncryptedKey for the case where that EncryptedKey token is not in the message. This would not preclude having the ReferenceList within the EncryptedKey when the EncryptedKey is in the message, but it is more consistent to have a single requirement. Even if WSS 1.1 does not require this, the strict policy can. I then looked at the possibility of changing the strict policy rule for WSS 1.0 to be consistent with the 1.1 rule. The thought was to change the Strict WSS 1.0 policy rule to require a top level ReferenceList associated with the EncryptedKey. This could be possible even though there is a SHOULD in WSS 1.0 for having the ReferenceList within the EncryptedKey [3], however this would be confusing due to the WSS 1.0 SHOULD and the fact that WSS interop was based on honoring that SHOULD. Thus, I suggest no change and thank Gudge for his comments. regards, Frederick Frederick Hirsch Nokia [1] <http://docs.oasis-open.org/ws-sx/issues/Issues.xml#i090> [2] <http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/ 20579/ws-securitypolicy-1.2-spec-ed-01-r10.doc> section 6.7 [3] <http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap- message-security-1.0.pdf> line 1178
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]