[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: xenc:ReferenceList SwA comment
Hi, (1) The WSS:SOAP Message Security Spec [1], section 9.1 (line 1141-1143) says that- "All the <xenc:EncryptedData> elements created by this encryption step SHOULD be listed in <xenc:DataReference> elements inside one or more <xenc:ReferenceList> element." So this means that DataReference elements should be added to ReferenceList in case of element or element content encryption. In cases where a user wants to encrypt a username token then EncryptedData would be placed in the SecurityHeader Block and a DataReference added to the ReferenceList. The latest SwA draft 17 [2] , line 504-508 says- "When an attachment is encrypted, an <xenc:ReferenceList> element SHOULD NOT be placed as a direct child of the <wsse:Security> header, since the <xenc:EncryptedData> element is present in the header, eliminating the need for this reference." (2) In the case of shared symmetric keys, The SOAP Message Security spec [1] (line 1150-1152) says that - "A typical situation where the <xenc:ReferenceList> sub-element is useful is that the producer and the recipient use a shared secret key." The standalone ReferenceList is useful when using a Shared Symmetric Key and the recommendation is that DataReferences be added to such a ReferenceList even though the correspoding EncryptedData elements are in the SecurityHeader. Proposal - The semantics for generating ReferenceList does not seem uniform. The proposal is to allow addition of DataReferences to ReferenceList in case of attachments. [1] http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf [2] http://www.oasis-open.org/apps/org/workgroup/wss/download.php/11918/wss-swa-profile-1.0-draft-17.pdf Thanks, Manveen
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]