OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] additional issue for issues list

This is already recorded as issue 427 ( for which I have an action to
produce a proposal ). I have a problem with your proposed resolution
because use of STRs outside the wsse:Security header is clearly
in-scope. For example; inside xenc:EncryptedData that appears outside
the wsse:SecurityHeader.

Gudge

> -----Original Message-----
> From: frederick.hirsch@nokia.com [mailto:frederick.hirsch@nokia.com] 
> Sent: 08 September 2005 12:20
> To: wss@lists.oasis-open.org
> Cc: concahill@aol.com
> Subject: [wss] additional issue for issues list
> 
> We should add an issue based on the following comment on the 
> public comments list. The comment email includes a proposed 
> resolution.
> 
> I would suggest changing the proposed resolution by replacing 
> "MUST" with "outside a wsse:Security header MUST".
> "
> 
> Issue relates to wording on lines 814-816 in the latest
> draft
> 
> http://www.oasis-open.org/apps/org/workgroup/wss/download.php/
14284/wss-v1.1-spec-draft-SOAPMessageSecurity-01.pdf
> 
> regards, Frederick
> Frederick Hirsch
> Nokia
> 
> Public comment:
> http://lists.oasis-open.org/archives/wss-comment/200508/msg00017.html
> 
> 
> Subject: STRs outside of <wsse:Security> header
> 
> From: "Conor P. Cahill" <concahill@aol.com>
> To: wss-comment@lists.oasis-open.org
> Date: Thu, 18 Aug 2005 17:23:15 -0400
> 
> Lines 812-814 of the core specificatoin require that uses of the STR
> outside of a Security header require that "the meaning of the
> response and/or the processing of the reulting references MUST
> be specified by the containing element ... "
> 
> This is a bit confusing as a "containing element" doesn't typically
> specify processing rules (yes, the specification for that containing
> element may do so).  This also restricts one from profiling a 
> use of an
> STR within an extension area defined in another specification 
> (such as a
> profile of using an STR as a child of the WS-Addressing <Metadata> EPR
> element).
> 
> I would like to propose that we change this to someting along 
> the lines of:
> 
> Any use of an STR outside of the Security header is outside 
> the scope of
> this specification.  Entities desiring to use the STR element MUST
> profile the  meaning of the response and/or the processing of the
> resulting references.
> 
> Conor
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]