wss message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [wss] Issue 196 QNames: Proposal to use URIs for Type identifiers
- From: Anthony Nadalin <drsecure@us.ibm.com>
- To: <wss@lists.oasis-open.org>
- Date: Tue, 16 Dec 2003 06:31:21 -0600
Generally speaking QName is context dependent, thus it is rather fragile and in some situations may allow complex namespace-rewriting attacks, although I think these attacks are relatively remote (and overplayed), because virtually all the use cases that we have today use "wsse" as the fixed prefix all around.
The downside of URI is a little too bulky -- "http://www.oasis-open.org/wsseuri#X509v3" vs "wsse:X509v3".
Because of the potential namespace-rewriting attack and the complication of canonicalization, the use of QName requires some precautions as exemplified in lines 560-577 of the current spec (dated 8/27) which seems to be more than adequate.
Anthony Nadalin | work 512.436.9568 | cell 512.289.4122
"David Orchard" <dorchard@bea.com>
This proposes to use URIs instead of QNames for valuetype and encoding type
identifiers. Rather than provide a mapping to URIs, potentially at a later
date, the use of URIs should result in cleaner and more secure environments.
The first part of this proposal is that valueTypeEnum should be of type URI.
The WSSE specification defines 5 values for this URI, replacing the current
QNames. The URI for identifying these types could be constructed in a
variety of ways.
The following shows identifiers using the fragment identifier syntax. For
the valuetypeenums, this looks like (pending the actual URI assigned for the
wsse namespace):
http://www.oasis-open.org/wsseuri#X509v3
http://www.oasis-open.org/wsseuri#Kerberosv5TGT
http://www.oasis-open.org/wsseuri#5ST
http://www.oasis-open.org/wsseuri#PKCS7
http://www.oasis-open.org/wsseuri#PKIPath
And for encoding types this is:
http://www.oasis-open.org/wsseuri#Base64Binary
http://www.oasis-open/org/wsseuri#HexBinary
This might also require a simple change to the schema to add these IDs to
the schema.
This could easily be a "/" separator instead of "#" as well. The # would
definitely be a good way to go if there was a wsse media type. But there
isn't, so "/" could also be acceptable.
Cheers,
Dave
To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
