[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SwA profile
Before producing a revised draft of the SwA profile, I would appreciate insight on the following two issues from those concerned with SwA security support. A. Attachment-Complete transform. We can simplify the profile by removing this. The threat of attachment modification or deletion can be addressed by referencing each attachment in a single <ds:Signature> if desired. The only reason to keep this is to make explicit a processing rule that all attachments are covered by the signature, addressing attachment insertion threat. I believe such an explicit statement is appropriate, so propose keeping this transform, but maybe there is a better approach. B. Support for Content-Location The current draft only supports URL CID-scheme references to attachments containing Content-Id headers. It is also possible to support Content-Location references that require a URL resolution mechanism to relate a URL to a Content-Location header in an attachment. I think that only CID need be supported since any sender can add a Content-Id header to attachments as needed. This can make the spec simpler, and receiver processing simpler, eliminating the URL resolution requirement. Is there an argument to support Content-Location? Note that the attachment decrypt transform material is to be removed (see previous email). If there is material missing to address your specific SOAP message level SwA security requirements, please indicate so. Thank you regards, Frederick Frederick Hirsch Nokia
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]