[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] Backcompat
I don't understand this. How WSS 1.1 spec can define the behavior of a WSS 1.0 Receiver? If the WSS 1.0 Receiver is already out in the field, how can you change it with the behavior defined in WSS 1.1 spec? If you can change the behavior, then why not just upgrade the receiver to handle 1.1 instead? Symon Chang Sr. Security Architect TIBCO Software Inc. -----Original Message----- From: Martin Gudgin [mailto:mgudgin@microsoft.com] Sent: Monday, May 30, 2005 6:19 AM To: WSS Cc: Paul Cotton Subject: [wss] Backcompat Dear TC, Paul and I took an action at the last meeting to draft something on backward compatibility. Here it is... Gudge OASIS WSS 1.1 defines several new XML elements; SignatureConfirmation, EncryptedHeader, Salt, Iteration. It also defines several new URIs; http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-soap-message-sec urity-1.1#ThumbprintSHA1, http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-soap-message-sec urity-1.1#EncryptedKey, http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-soap-message-103 3security-1.1#EncryptedKeySHA1, http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-soap-message-sec urity-1.1#X509ThumbprintSHA1 All elements and URIs that already existed in OASIS WSS 1.0 are unchanged. Proposed behaviour; WSS 1.0 receivers: 1. Generate a soap:mustUnderstand fault if any xenc:EncryptedHeader has soap:mustUnderstand='1'. This will happen per normal SOAP processing rules. 2. Generate a fault (wsse:InvalidSecurity) if wsse11:SignatureConfirmation is found inside wsse:Security. 3. Generate a fault (wsse:UnsupportedSecurityToken) if http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-soap-message-sec urity-1.1#EncryptedKey is specified for wsse:SecurityTokenReference/wsse:Reference/@ValueType. 4. Generate a fault (wsse:UnsupportedSecurityToken) if wsse:SecurityTokenReference/wsse:KeyIdentifier/@ValueType is ttp://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-soap-message-secu rity-1.1#ThumbprintSHA1, http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-soap-message-103 3security-1.1#EncryptedKeySHA1 or http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-soap-message-sec urity-1.1#X509ThumbprintSHA1 5. Generate a fault (wsse:UnsupportedSecurityToken) if wsse11:Salt or wsse11:Iteration are found in wsse:UsernameToken. I don't believe we need to say anything about 1.1 receivers. --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. You may a link to this group and all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]