RE: [wss] SOAP with Attachments Proposal

[<Frederick.Hirsch@nokia.com>]

dims

The "out of band"  simply meant that key information could be conveyed out of band for the receiver to know how to decrypt, e.g. the <xenc:EncryptedData> element contains no <ds:KeyInfo> element or no security token related to the key is conveyed.

The general processing rules for decrypting are in the SOAP Message Security standard, with the statement that if a key is conveyed with a security token, then the <ds:KeyInfo> element should use a <wsse:SecurityTokenReference> to the token.

I'm not sure we need to spell this out in this SwA profile, but could.

Am I missing more aspects of your comment? (Are you also asking can a certificate be conveyed in an attachment?)

regards, Frederick

Frederick Hirsch
Nokia



> -----Original Message-----
> From: ext Srinivas, Davanum M [mailto:Davanum.Srinivas@ca.com]
> Sent: Friday, June 04, 2004 2:56 PM
> To: Jerry Schwarz; Hirsch Frederick (Nokia-TP/Boston);
> wss@lists.oasis-open.org
> Cc: mikemci@us.ibm.com
> Subject: RE: [wss] SOAP with Attachments Proposal
> 
> 
> Jerry,
> 
> What originally prompted my question was in lines 220/221 of 
> SwA profile
> there is a mention of "possibly other out of band 
> information, according
> to the XML Encryption Standard" and I started searching the 
> profile for
> how to specify which key was used to sign/encrypt the 
> attachment. So my
> guess is that even the "Processing Rules" section needs to be 
> updated to
> reflect this possible interplay with elements in X509 profile.
> 
> Thanks,
> dims
> 
> -----Original Message-----
> From: Jerry Schwarz [mailto:jerry.schwarz@oracle.com] 
> Sent: Friday, June 04, 2004 2:52 PM
> To: Srinivas, Davanum M; Frederick.Hirsch@nokia.com;
> wss@lists.oasis-open.org
> Cc: mikemci@us.ibm.com
> Subject: RE: [wss] SOAP with Attachments Proposal
> 
> 
> The simple answer is yes.
> 
> But your question does bring up a structural issue.
> 
> The intention is that this profile says how you use various 
> elements to
> refer to attachments. It is not intended to constrain how 
> other elements
> are used to specify key's, algorithms etc.  There probably needs to be
> some introductory material to make that clear. As far as I 
> can tell the
> X509 Token Profile does not say anything about the elements that are
> being specified in the SwA profile, but I may have overlooked 
> something.
> 
> 
> At 10:55 AM 6/4/2004, Srinivas, Davanum M wrote:
> >Fredrick,
> >
> >(Dumb?) Question: Can we still use wsse:BinarySecurityToken and 
> >wsse:KeyIdentifier (sections 3.3.1 and 3.3.2 in X509 Token Profile) 
> >with ds:KeyInfo/wsse:SecurityTokenReference to point to the 
> certs? For 
> >example to be able to have one wsse:BinarySecurityToken 
> that's used to 
> >sign/encrypt parts of the soap message and some of the attachments.
> >
> >Thanks,
> >dims
> >
> >-----Original Message-----
> >From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com]
> >Sent: Friday, May 28, 2004 2:01 PM
> >To: wss@lists.oasis-open.org
> >Cc: mikemci@us.ibm.com; jerry.schwarz@oracle.com; 
> >Frederick.Hirsch@nokia.com
> >Subject: [wss] SOAP with Attachments Proposal
> >
> >Enclosed is a draft profile for securing SOAP with Attachments (SwA) 
> >using WSS SOAP Message Security.
> >
> >I am sending this to close the action item recorded on the 
> 5/18/04 call
> 
> >to submit a proposal, related to  issues 285, 268, and 129, taken by 
> >Mike McIntosh, Jerry Schwarz and myself.
> >
> >We intend this as a starting point for members of the WSS TC 
> to discuss
> 
> >and improve.
> >
> >Thanks
> >
> >regards, Frederick
> >
> >Frederick Hirsch
> >Nokia
> >
> >  <<wss-swa-profile-1.0-draft-03.pdf>>
> >
> >
> >To unsubscribe from this mailing list (and be removed from 
> the roster 
> >of the OASIS TC), go to 
> >http://www.oasis-open.org/apps/org/workgroup/wss/members/leav
> e_workgrou
> p.php.
> 
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from 
> the roster of the OASIS TC), go to 
> http://www.oasis-open.org/apps/org/workgroup/wss/members/leave
> _workgroup.php.
> 
>