RE: [ebxml-msg-as4] AS4 NRR draft for Feb 9 discussion

["Durand, Jacques R." <JDurand@us.fujitsu.com>]

Should we move these requirements at higher level (i.e. not just WHEN receipts are needed).

 

>MUST not encrypt any signed content before signing, and, if using compression in an attachment, MUST sign the data after compression.

 

- We already have "compress then sign" in 3.1, whcih could be made more specific about dealing with parts.

- "sign then encrypt"  is also required in Core V3 (7.6)

 

So we could just present it as a reminder here (user should be aware that applies to all messages...).

 

-jacques

 

---

From: Moberg Dale [mailto:dmoberg@axway.com]
Sent: Tuesday, February 10, 2009 9:10 AM
To: ebxml-msg-as4@lists.oasis-open.org
Subject: RE: [ebxml-msg-as4] AS4 NRR draft for Feb 9 discussion

[Continuation of draft on NRR incorporating features discussed on Monday Feb 9 teleconference.]

 

AS4 reuses ebMS 3 signal messages for nonrepudiation of receipt, and uses WSS for signing the receipt.

 

The ebMS 3 signal message, used for either signed or unsigned receipts, is a SOAP version 1.1 or 1.2 header with @mustUnderstand set to “true”.

 

The NonRepudiationInformation contains a sequence of MessagePartNRInformation items for each message part for which evidence of non repudiation of receipt is being provided. In the normal default usage, these message parts are those that have been signed in the original message. Each message part is described with information defined by an XML Digital Signature Reference information item. The following example illustrates the ebMS 3 Signal Message header.

 

<eb3:Messaging S12:mustUnderstand="true" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id=”ValueOfMessagingHeader”>
             <eb3:SignalMessage>
                 <eb3:MessageInfo>
                    <eb3:Timestamp>2009-11-06T08:00:09Z</eb3:Timestamp>
                    <eb3:MessageId>orderreceipt@seller.com</eb3:MessageId>
                    <eb3:RefToMessageId>orders123@buyer.com</eb3:RefToMessageId>
                </eb3:MessageInfo>
                 <eb3:Receipt>
                     <ebbp:NonRepudiationInformation>
                         <ebbp:MessagePartNRInformation>
                             <dsig:Reference URI="#5cb44655-5720-4cf4-a772-19cd480b0ad4">
                                 <dsig:Transforms>
                                    <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                                </dsig:Transforms>
                                <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                                <dsig:DigestValue>o9QDCwWSiGVQACEsJH5nqkVE2s0=</dsig:DigestValue>
                            </dsig:Reference>
                        </ebbp:MessagePartNRInformation>
                         <ebbp:MessagePartNRInformation>
                             <dsig:Reference URI="cid:a1d7fdf5-d67e-403a-ad92-3b9deff25d43@buyer.com">
                                 <dsig:Transforms>
                                    <dsig:Transform Algorithm="http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform" />
                                </dsig:Transforms>
                                <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                                <dsig:DigestValue>iWNSv2W6SxbOYZliPzZDcXAxrwI=</dsig:DigestValue>
                            </dsig:Reference>
                        </ebbp:MessagePartNRInformation>
                    </ebbp:NonRepudiationInformation>
                </eb3:Receipt>
            </eb3:SignalMessage>
        </eb3:Messaging>

 

For a signed receipt, a Web Services Security header signing over (at least) the signal header is required. An example WS-Security header is as follows:

 

<wsse:Security s:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
    xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <wsu:Timestamp wsu:Id="_1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsu:Created>2009-11-06T08:00:10Z</wsu:Created>
        <wsu:Expires>2009-11-06T08:50:00Z</wsu:Expires>
    </wsu:Timestamp>
    <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
        ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
        wsu:Id="_2"
        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIFADCCBGmgAwIBAgIEOmitted</wsse:BinarySecurityToken>
    <ds:Signature Id="_3" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#ValueOfMessagingHeader">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <InclusiveNamespaces PrefixList="xsd" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>ZXnOmitted=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>rxaP4of8JCpUkOmitted=</ds:SignatureValue>
        <ds:KeyInfo>
            <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <wsse:Reference URI="#_2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
            </wsse:SecurityTokenReference>
        </ds:KeyInfo>
    </ds:Signature>
</wsse:Security>

 

Implementations requesting signed receipts in AS4 that make use of default conventions MUST identity message parts using Content-Id values in the MIME headers, MUST sign the SOAP body and all attachments using the http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform within the SignedInfo References list, MUST not encrypt any signed content before signing, and, if using compression in an attachment, MUST sign the data after compression. Variations from default conventions can be agreed to bilaterally, but conforming implementations are only required to provide receipts using the default conventions described in this section.