[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SOAP MustUnderstand issue
It appears that the decision of whether mustUnderstand is true
or false on a wsse:Security header block is up to the application - the SOAP
Message Security specification indicates that mustUnderstand usage is optional.
Is this an interoperability concern?
Does this mean that to obtain the
result of only what is used is implemented, e.g. DSAwithSHA1 vs
RSAwithSHA1) means that the application should set this mustUnderstand
wsse:Security header block attribute to false?
It seems that the
relationship of interoperability and adequate/appropriate security processing is
of concern here. If mustUnderstand is false, does that mean security is lost?
I'd say no, since it is the relying party's obligation regardless to make sure
policy is met - i.e. it shouldn't be driven by mustUnderstand.
Is our
discussion to determine what it means if an application sets mustUnderstand to
true?
Since an application can set it to false, is it harmful to
take the stricter meaning that all is understood (deferring the discussion of
whether that means implemented)? Is that the consensus?
regards, Frederick
Frederick Hirsch
Nokia Mobile
Phones
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]