Re: [wss] Proposed text changes relating to EncryptedHeader

[NISHIMURA Toshihiro <nishimura.toshi@jp.fujitsu.com>]

Thank you, Hal,

# Line numbers are based on the draft dated 16 May 2005.

I noticed that Lines 1640-1645 says "If the referencing
<wsse:Security> header block defines a value for the S12:Role or
S11:Actor attribute". There are cases when the referencing
<wsse:Security> header block does not define those attribute.


One example came up to me.
Sender sends a message with <Foo> header block to Receiver.
There are 2 intermediaries (A and B) between Sender and Receiver and A
encrypts the <Foo> header block and B decrypts it.

1) Sender sends a message:
<S11:Header>
  <Foo S11:actor="Receiver" S11:mustUnderstand="1">..</Foo>
</S11:Header>

2) Intermediary-A encypts the <Foo> (results in an <EncryptedHeader>
and a <Security> targetted to Intermediary-B):
<S11:Header>
  <wsse11:EncryptedHeader S11:actor="....." S11:mustUnderstand="..">..</wsse11:EncryptedHeader>
  <wsse:Security S11:actor="Intermediary-B" S11:mustUnderstand="1">..</wsse:Security>
</S11:Header>

3) Intermediary-B dencypts the <EncryptedHeader> (results in the original
message):
<S11:Header>
  <Foo S11:actor="Receiver" S11:mustUnderstand="1">..</Foo>
</S11:Header>

4) Receiver process the <Foo> header block.

(Note that the <Foo> header block can be a <wsse:Security> header block)

The target of <Security> produced by step 2 will be Intermediary-B
because only Intermediary-B can process it (decrypt the
<EncryptedHeader>).

What is the target of <EncryptedHeader> ?
A) Based on Lines 1640-1645, it is copied from the referencing
<Security> header: "Intermediary-B"
B) Based on Lines 1700-1703, it must be same with the value of the
resulting decrypted header: "Receiver"
They are conflicting!!



At Fri, 27 May 2005 14:28:26 -0400,
Hal Lockhart wrote:
> Well this was outside of the changes I proposed, (except for the
> phrase "unless it is a security header") but I believe lines
> 1653-1655 are referring to the encrypted header before it is
> wrapped. But perhaps it is simply obsoleted by the other changes.
> 
> Hal
> 
> > -----Original Message-----
> > From: NISHIMURA Toshihiro [mailto:nishimura.toshi@jp.fujitsu.com]
> > Sent: Wednesday, May 25, 2005 6:33 AM
> > To: Hal Lockhart
> > Cc: wss@lists.oasis-open.org
> > Subject: Re: [wss] Proposed text changes relating to EncryptedHeader
> > 
> > 
> > Hal,
> > 
> > # I'm sorry for replying to the old message.
> > # http://lists.oasis-open.org/archives/wss/200412/msg00037.html
> > 
> > Current draft (dated 16 May 2005) has adopted your proposal 
> > as follows:
> > 
> > Lines 1640-1645
> > | If the
> > | referencing <wsse:Security> header block defines a value 
> > for the <S12:MustUnderstand>
> > | or <S11:MustUnderstand> attribute, that attribute and 
> > associated value MUST be copied to
> > | the <wsse11:EncryptedHeader> element. If the referencing 
> > <wsse:Security> header block
> > | defines a value for the S12:Role or S11:Actor attribute, 
> > that attribute and associated value MUST
> > | be copied to the <wsse11:EncryptedHeader> element.
> > 
> > Lines 1653-1655
> > | Any
> > | <wsse:Security> header that encrypts a header block 
> > targeted to a particular actor SHOULD
> > | be targeted to that same actor, unless it is a security header.
> > 
> > Lines 1700-1703
> > | If the value of the S12:mustUnderstand, S11:mustUnderstand, 
> > S12:Role or
> > | S11:Actor attributes on the resulting decrypted header 
> > element, differ from the value of
> > | the corresponding attribute on the <wsse11:EncryptedHeader> 
> > element, the
> > | processor MUST raise a fault.
> > 
> > I wonder why Lines 1653-1655 uses "SHOULD".
> > 
> > I see Lines 1640-1645 says that
> >   S11:actor MUST be copied from the <wsse:Security> element to the
> >   <wsse11:EncryptedHeader> element.
> > And Lines 1700-1703 says that
> >   the decrypted header element and <wsse11:EncryptedHeader> element
> >   MUST have the same S11:actor value.
> > Based on these two, I can conclude that the <wsse:Security> element
> > and the header element to be encrypted (which is same with decrypted
> > header element) MUST have the same S11:actor value. 
> > (And because WSS prohibits two security headers being targeted to the
> > same Role/Actor, encrypting <wsse:Security> with
> > <wsse11:EncryptedHeader> is not possible.)
> > 
> > Am I misunderstanding something?
> > 
> > Toshi
> > ---
> > NISHIMURA Toshihiro (FAMILY Given)
> > nishimura.toshi@jp.fujitsu.com
> > STRATEGY AND TECHNOLOGY DIV., SOFTWARE GROUP, FUJITSU LIMITED
<snipped>