[Continuation of draft on NRR
incorporating features discussed on Monday Feb 9 teleconference.]
AS4 reuses ebMS 3 signal messages for nonrepudiation of
receipt, and uses WSS for signing the receipt.
The ebMS 3 signal message, used for either signed or
unsigned receipts, is a SOAP version 1.1 or 1.2 header with @mustUnderstand set
to “true”.
The NonRepudiationInformation contains a sequence of
MessagePartNRInformation items for each message part for which evidence of non
repudiation of receipt is being provided. In the normal default usage, these
message parts are those that have been signed in the original message. Each
message part is described with information defined by an XML Digital Signature
Reference information item. The following example illustrates the ebMS 3 Signal
Message header.
<eb3:Messaging S12:mustUnderstand="true" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id=”ValueOfMessagingHeader”>
<eb3:SignalMessage>
<eb3:MessageInfo>
<eb3:Timestamp>2009-11-06T08:00:09Z</eb3:Timestamp>
<eb3:MessageId>orderreceipt@seller.com</eb3:MessageId>
<eb3:RefToMessageId>orders123@buyer.com</eb3:RefToMessageId>
</eb3:MessageInfo>
<eb3:Receipt>
<ebbp:NonRepudiationInformation>
<ebbp:MessagePartNRInformation>
<dsig:Reference URI="#5cb44655-5720-4cf4-a772-19cd480b0ad4">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>o9QDCwWSiGVQACEsJH5nqkVE2s0=</dsig:DigestValue>
</dsig:Reference>
</ebbp:MessagePartNRInformation>
<ebbp:MessagePartNRInformation>
<dsig:Reference URI="cid:a1d7fdf5-d67e-403a-ad92-3b9deff25d43@buyer.com">
<dsig:Transforms>
<dsig:Transform Algorithm="http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>iWNSv2W6SxbOYZliPzZDcXAxrwI=</dsig:DigestValue>
</dsig:Reference>
</ebbp:MessagePartNRInformation>
</ebbp:NonRepudiationInformation>
</eb3:Receipt>
</eb3:SignalMessage>
</eb3:Messaging>
For a signed receipt, a Web Services Security header signing
over (at least) the signal header is required. An example WS-Security header is
as follows:
<wsse:Security s:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<wsu:Timestamp wsu:Id="_1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2009-11-06T08:00:10Z</wsu:Created>
<wsu:Expires>2009-11-06T08:50:00Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="_2"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIFADCCBGmgAwIBAgIEOmitted</wsse:BinarySecurityToken>
<ds:Signature Id="_3" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#ValueOfMessagingHeader">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="xsd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>ZXnOmitted=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>rxaP4of8JCpUkOmitted=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#_2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
Implementations requesting signed receipts
in AS4 that make use of default conventions MUST identity message parts using Content-Id
values in the MIME headers, MUST sign the SOAP body and all attachments using
the http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform
within the SignedInfo References list, MUST not encrypt any
signed content before signing, and, if using compression in an attachment, MUST
sign the data after compression. Variations from default conventions can be
agreed to bilaterally, but conforming implementations are only required to
provide receipts using the default conventions described in this section.