OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-msg message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [ebxml-msg] FW: [wss] FW: ebXML's requirements for xmldsig used formultipart SOAP .


Here is a first respone (from Rich Salz) concerning the ebXML signature
requirements and how to do it in WSS. 
I will also attach the message I sent to WSS for reference. About what I
expected so far. 

Dale

-----Original Message-----
From: Rich Salz [mailto:rsalz@datapower.com] 
Sent: Friday, February 14, 2003 10:05 AM
To: Dale Moberg
Cc: wss@lists.oasis-open.org
Subject: Re: [wss] FW: ebXML's requirements for xmldsig used for
multipart SOAP .


Hi Dale,

Note that SOAP (at least 1.2) makes some of those things difficult.  For

example, the soap mustUnderstand attribute can be 0/1/true/false and 
changed along the way, whitespace can appear between header elements, 
etc.  Look at the thread [1] for a plan to address this.

For now, unfortunately, I think you have to write your own XSLT 
transform that takes those things into account, as well as header
variation.
	/r$

[1] 
http://lists.w3.org/Archives/Public/w3c-ietf-xmldsig/2003JanMar/0023.htm
l


--- Begin Message ---
Hi,

I posed the issue below to Chris K. and Ajamu 
at a recent WS-I Security meeting. 

Some of us are interested in wss
feedback on how to do an xmldsig signature meeting 
the requirements described below. These
requirements were compiled during the ebXML initiative. 

Ajamu suggested the wss list members could provide us with some feedback
also.
So I am forwarding to the list.

Thanks
Dale Moberg

-----Original Message-----
From: Ajamu Wesley [mailto:awesley@us.ibm.com] 
Sent: Tuesday, February 11, 2003 11:35 AM
To: Dale Moberg
Cc: Chris Kaler
Subject: Re: ebXML's requirements for xmldsig used for multipart SOAP .



Dale,
This are good requirements. I will keep them in mind, but would
recommend that you submit these to the mailing list as well. This will
allow the working group members to provide feedback. Thanks.

-- Ajamu

++++++++
Ajamu Wesley
awesley@us.ibm.com
(919) 254-2195 (T/L 444)
Web Services Technologist
Emerging Internet Technologies
++++++++


"Dale Moberg" <dmoberg@cyclonecommerce.com> on 02/10/2003 01:09:47 PM

To:    Ajamu Wesley/Raleigh/IBM@IBMUS
cc:    "Chris Kaler" <ckaler@microsoft.com>
Subject:    ebXML's requirements for xmldsig used for multipart SOAP .



So far no one on ebXML Messaging has added anything to this description
of requirements, so I am forwarding it off to you.

I am interested in how a WSS xmldsig wss-profiled signature accomplishes
this signing, as I mentioned to you at the face to face. [Possibly we
can relax some requirement, so if you can get close please outline the
wss/xmldsig approach we can take.]

Thanks, Dale Moberg



Given that SOAP allows intermediaries to add elements at least to the
SOAP:Header EII (element information item)and given SOAP requires
intermediaries to remove targeted modules/header blocks in accordance
with SOAP processing semantics, ebXML wanted to make certain that the
ultimate SOAP node only received what the initial soap node had sent and
had targeted for the ultimate node, and not anything intermediaries
targeted to the ultimate node.

In addition,
ebXML messaging wanted an XMLDsig signature such that:

1.    Signing is over a multipart/related, where there is a
SOAP:envelope in the first bodypart, and some XML (or even nonXML) in
some other bodypart. While more than one bodypart is permitted,
signatures may be over the first part and any selection of the other
bodyparts. [CID URI resolvers are added for this.]
2.    SOAP header blocks targeted to intermediaries are not to be
included in the original signature.
3.    The original SOAP signatures are signed over. Other SOAP
signatures may be added, and the original signature must not break.
4.    Any addition to an originally signed over bodypart [other than a
signature or a routing record] must be detectable in the sense that the
signature will not verify.
5.    Any deletion from the original bodyparts, other than targeted
header blocks for intermediaries, must break the signature.
6.    Any addition of ultimate soap node header blocks by
intermediaries must break the signature.







----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
--- End Message ---


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC