[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] Comments on WSS-X509 draft 06-05 merged.pdf
Toshihiro - I agree with many of your observations.
Please consider the attached proposal. It includes an example to illustrate
the following policy:
"Recipient 1 is permitted access to Element 1, Element 2 and Element 3.
Recipient 2 is
permitted access to Element 1 and Element 2 only."
I feel certain some optimizations will be possible. But, we have to make
sure that we provide proper support for policies in which different
recipients are permitted access to different portions of the message.
All the best. Tim.
-----Original Message-----
From: NISHIMURA Toshihiro [mailto:nishimura.toshi@jp.fujitsu.com]
Sent: Tuesday, July 01, 2003 3:03 AM
To: wss@lists.oasis-open.org
Subject: [wss] Comments on WSS-X509 draft 06-05 merged.pdf
Hello,
Here are comments on WSS-X509 draft 06.
0. (editorial)
Do we use "WS-Security" as the abbreviation of "Web Services Security:
SOAP Message Security"?
1. (editorial)
Lines 215-216 in 3.2.4:
| whose value SHALL be identical to the value of the wsu:Id
| attribute in the wsse:BinarySecurityToken element.
This should be read :
... the value of the Id attribute in the ds:KeyInfo element
Because ds:KeyInfo element has its own Id attribute and doesn't allow
anyAttribute.
2.
The example in 3.1.1 uses two <wsse:Security> headers without S:role
attribute. This is not allowed in current core spec (draft 14).
And the description (in lines 285-288) also mention about two
(first/second) <wsse:Security> elements with the word "SHALL".
There are other problems in this example.
- wsu:Id attribute is added to <wsse:Security> element and not to
security token.
- <ds:KeyInfo> element in the second <wsse:Security> element will be
in the <xenc:EncryptedKey> element.
The structure of current example is as follows::
--------------------------------------------------------------------------
<S:Header> +--> Reference to key-agreement key
<wsse:Security wsu:Id="u"> |
<ds:KeyInfo> ------------+
<ds:X509Data>...</ds:X509Data> <--+
</ds:KeyInfo> |
</wsse:Security> |
| Reference to reference token
(wsu:Id="u")
<wsse:Security wsu:Id="v"> |
<ds:KeyInfo>--------------------------+
<ds:KeyName>u</ds:KeyName>
</ds:KeyInfo>
<xenc:EncryptedKey>
...Symmetric-Key... <-----+
</xenc:EncryptedKey> |
</wsse:Security> |
</S:Header> | Reference to symmetric-key token
(wsu:Id="v")
|
<S:Body> |
... |
<xenc:EncryptedData> |
<ds:KeyInfo>---------------------+
<ds:KeyName>v</ds:KeyName>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</S:Body>
--------------------------------------------------------------------------
I think that the intention here will be as follows. Is this correct?
--------------------------------------------------------------------------
<S:Header> +--> Reference to key-agreement key
<wsse:Security> |
<ds:KeyInfo Id="u"> ------------+
<ds:X509Data>...</ds:X509Data> <--+
</ds:KeyInfo> |
|
<xenc:EncryptedKey> | Reference to reference token
(Id="u")
<ds:KeyInfo> |
<ds:KeyName>u</ds:KeyName> ------+
</ds:KeyInfo>
<xenc:CipherData>
...Symmetric-Key...
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#XXX" /> --+
</xenc:ReferenceList> |
</xenc:EncryptedKey> |
</wsse:Security> |
</S:Header> | Reference to encrypted data
(Id="XXX")
|
<S:Body> |
... |
<xenc:EncryptedData Id="XXX"> <-------+
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</S:Body>
--------------------------------------------------------------------------
---
NISHIMURA Toshihiro (FAMILY Given)
nishimura.toshi@jp.fujitsu.com
XML Application Technology Dept., PROJECT-A XML, FUJITSU LIMITED
You may leave a Technical Committee at any time by visiting
http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]