OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-msg message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [ebxml-msg] Re: ebXML MS Security

Title: Re: ebXML MS Security

Hi All,

I propose the following changes to MSv1.091 to address security concerns I raised:

Add to Section 4.1, following line 1042:

The ebXML Message Service does not define XML syntax to address security issues.  Instead, it defines usage of XMLDSIG (http://www.w3.org/Signature/) to address those security issues that are addressable via electronic signature technology. This section also provides future direction on use of XML Encryption, but defers specification of applied usage until W3/IETF work is completed (sec 4.1.4.5)

This specification addresses the applied usage of XMLDSIG in conjunction with ebXML Messaging Service.  Within this section, direction on applied usage of XMLDSIG is normative to the ebXML MS specification.  XMLDSIG provides the normative definition of the constructs used to convey digital signatures.

When preparing an ebXML message for transport, an ebXML MS offering security services SHALL either implement those services within the ebXML Message Service Handler, or direct the application of those services through a handler supporting XMLDSIG signature application. 

On receipt of an ebXML message containing a SOAP Header Element in the XMLDSIG namespace, an ebXML MSH SHALL assure that any XMLDSIG signatures supplied in SOAP Header Elements are handled prior to processing the ebXML SOAP Message Headers, else the ebXML MS SHALL raise a SOAP Fault [Client.Security???].

An ebXML Message Service Handler that does not support security services SHALL detect a request from the sending application to employ security services, and SHALL notify the application of its failure to provide security services.  It is RECOMMENDEED that the Message Handler return to the sender a SOAP Message prepared for transport without XMLDSIG signatures, such that the application may itself then address the security services requested or take other action it deems appropriate.   

Other usage of XMLDSIG within a SOAP Message employing ebXML Messaging Service is outside the scope of this specification.

Cheers,
        Bob

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC