[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] Comments on WSS-X509 draft 06-05 merged.pdf
Toshihiro - I agree with many of your observations. Please consider the attached proposal. It includes an example to illustrate the following policy: "Recipient 1 is permitted access to Element 1, Element 2 and Element 3. Recipient 2 is permitted access to Element 1 and Element 2 only." I feel certain some optimizations will be possible. But, we have to make sure that we provide proper support for policies in which different recipients are permitted access to different portions of the message. All the best. Tim. -----Original Message----- From: NISHIMURA Toshihiro [mailto:nishimura.toshi@jp.fujitsu.com] Sent: Tuesday, July 01, 2003 3:03 AM To: wss@lists.oasis-open.org Subject: [wss] Comments on WSS-X509 draft 06-05 merged.pdf Hello, Here are comments on WSS-X509 draft 06. 0. (editorial) Do we use "WS-Security" as the abbreviation of "Web Services Security: SOAP Message Security"? 1. (editorial) Lines 215-216 in 3.2.4: | whose value SHALL be identical to the value of the wsu:Id | attribute in the wsse:BinarySecurityToken element. This should be read : ... the value of the Id attribute in the ds:KeyInfo element Because ds:KeyInfo element has its own Id attribute and doesn't allow anyAttribute. 2. The example in 3.1.1 uses two <wsse:Security> headers without S:role attribute. This is not allowed in current core spec (draft 14). And the description (in lines 285-288) also mention about two (first/second) <wsse:Security> elements with the word "SHALL". There are other problems in this example. - wsu:Id attribute is added to <wsse:Security> element and not to security token. - <ds:KeyInfo> element in the second <wsse:Security> element will be in the <xenc:EncryptedKey> element. The structure of current example is as follows:: -------------------------------------------------------------------------- <S:Header> +--> Reference to key-agreement key <wsse:Security wsu:Id="u"> | <ds:KeyInfo> ------------+ <ds:X509Data>...</ds:X509Data> <--+ </ds:KeyInfo> | </wsse:Security> | | Reference to reference token (wsu:Id="u") <wsse:Security wsu:Id="v"> | <ds:KeyInfo>--------------------------+ <ds:KeyName>u</ds:KeyName> </ds:KeyInfo> <xenc:EncryptedKey> ...Symmetric-Key... <-----+ </xenc:EncryptedKey> | </wsse:Security> | </S:Header> | Reference to symmetric-key token (wsu:Id="v") | <S:Body> | ... | <xenc:EncryptedData> | <ds:KeyInfo>---------------------+ <ds:KeyName>v</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S:Body> -------------------------------------------------------------------------- I think that the intention here will be as follows. Is this correct? -------------------------------------------------------------------------- <S:Header> +--> Reference to key-agreement key <wsse:Security> | <ds:KeyInfo Id="u"> ------------+ <ds:X509Data>...</ds:X509Data> <--+ </ds:KeyInfo> | | <xenc:EncryptedKey> | Reference to reference token (Id="u") <ds:KeyInfo> | <ds:KeyName>u</ds:KeyName> ------+ </ds:KeyInfo> <xenc:CipherData> ...Symmetric-Key... </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#XXX" /> --+ </xenc:ReferenceList> | </xenc:EncryptedKey> | </wsse:Security> | </S:Header> | Reference to encrypted data (Id="XXX") | <S:Body> | ... | <xenc:EncryptedData Id="XXX"> <-------+ <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S:Body> -------------------------------------------------------------------------- --- NISHIMURA Toshihiro (FAMILY Given) nishimura.toshi@jp.fujitsu.com XML Application Technology Dept., PROJECT-A XML, FUJITSU LIMITED You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]