[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Message-level security profile
Hi,The proof-of-concept message-level security profile for Core 2 looks as follows:
<?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"; targetNamespace="urn:dss:security" xmlns:sec="urn:dss:security" xmlns:wsa="http://www.w3.org/2005/08/addressing"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#";elementFormDefault="qualified" attributeFormDefault="unqualified">
<xs:import namespace="http://www.w3.org/2005/08/addressing"; schemaLocation="ws-addr.xsd" /><xs:import namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
schemaLocation="oasis-200401-wss-wssecurity-utility-1.0.xsd"/><xs:import namespace="http://www.w3.org/2000/09/xmldsig#"; schemaLocation="xmldsig-core-schema.xsd"/>
<xs:group name="InputSecurityGroup"> <xs:choice> <xs:element name="InputSecurity" type="sec:InputSecurityType"> <xs:annotation> <xs:documentation> Defines message-level security for OptionalInput. </xs:documentation> </xs:annotation> </xs:element> </xs:choice> </xs:group> <xs:complexType name="InputSecurityType"> <xs:sequence> <xs:element ref="wsa:MessageID"> <xs:annotation> <xs:documentation> A unique identifier for this message. </xs:documentation> </xs:annotation> </xs:element> <xs:element ref="wsu:Timestamp"> <xs:annotation> <xs:documentation> Message should only be used within this time frame. </xs:documentation> </xs:annotation> </xs:element> <xs:element ref="wsa:ReplyTo"> <xs:annotation> <xs:documentation>The URL to which the DSS should send a response message.
</xs:documentation> </xs:annotation> </xs:element> <xs:element ref="ds:Signature"> <xs:annotation> <xs:documentation> The message signature. </xs:documentation> </xs:annotation> </xs:element> </xs:sequence> </xs:complexType> <xs:attributeGroup name="SecurityAttributeGroup"> <xs:attribute ref="wsu:Id" use="required"/> </xs:attributeGroup> <xs:group name="OutputSecurityGroup"> <xs:choice><xs:element name="OutputSecurity" type="sec:OutputSecurityType">
<xs:annotation> <xs:documentation> Defines message-level security for OptionalInput. </xs:documentation> </xs:annotation> </xs:element> </xs:choice> </xs:group> <xs:complexType name="OutputSecurityType"> <xs:sequence> <xs:element ref="wsa:RelatesTo"> <xs:annotation> <xs:documentation> Refers to the previous wsa:MessageID. </xs:documentation> </xs:annotation> </xs:element> <xs:element ref="wsu:Timestamp"> <xs:annotation> <xs:documentation> Message should only be used within this time frame. </xs:documentation> </xs:annotation> </xs:element> <xs:element ref="wsa:To"> <xs:annotation> <xs:documentation>The URL to which the DSS wanted to send a response message.
</xs:documentation> </xs:annotation> </xs:element> <xs:element ref="ds:Signature"> <xs:annotation> <xs:documentation> The message signature. </xs:documentation> </xs:annotation> </xs:element> </xs:sequence> </xs:complexType> </xs:schema> With the corresponding redefine XML schema: <?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema" targetNamespace="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:sec="urn:dss:security"elementFormDefault="qualified" attributeFormDefault="unqualified">
<xs:include schemaLocation="oasis-dss-core-schema-v1.0-os.xsd"/><xs:import namespace="urn:dss:security" schemaLocation="dss-security.xsd"/>
<xs:redefine schemaLocation="oasis-dss-core-schema-v1.0-os.xsd"> <xs:complexType name="SignRequestType"> <xs:complexContent> <xs:extension base="dss:SignRequestType"> <xs:attributeGroup ref="sec:SecurityAttributeGroup"/> </xs:extension> </xs:complexContent> </xs:complexType> <xs:complexType name="OptionalInputsSignType"> <xs:complexContent> <xs:extension base="dss:OptionalInputsSignType"> <xs:group ref="sec:InputSecurityGroup"/> </xs:extension> </xs:complexContent> </xs:complexType> <xs:complexType name="OptionalOutputsSignType"> <xs:complexContent> <xs:extension base="dss:OptionalOutputsSignType"> <xs:group ref="sec:OutputSecurityGroup"/> </xs:extension> </xs:complexContent> </xs:complexType> <xs:complexType name="SignResponseType"> <xs:complexContent> <xs:extension base="dss:SignResponseType"> <xs:attributeGroup ref="sec:SecurityAttributeGroup"/> </xs:extension> </xs:complexContent> </xs:complexType> </xs:redefine> </xs:schema>Nonetheless the "brave" goal of Core 2 to try to be "data representation agnostic", it should however still be possible to use existing XML/JSON specific constructs depending on the concrete binding (SOAP, Browser POST, REST, ...).
Hence for example, in case of XML it should be possible to use XML signatures. The rewriting of the xmldsig schema feels dangerous in this respect. Similar, in case of JSON over Browser POST for example, things like JWS should be possible.
Another example, in case of a SOAP binding, MTOM should be possible to transfer the document-to-be-signed (which will be my next area of work).
Kind Regards, Frank. -- Frank Cornelis e-Contract.be BVBA https://www.e-contract.be
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]