[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wsi_secprofile] RE: FW: WSS27 issue
Hi Ian, Gudge is right. EbMS is not assuming that the signature is in a separate MIME part. WSS defines a SOAP header block and whether using SWA or not, the wsse:security block is in the soap:envelope/soap:header contents. Dale -----Original Message----- From: Martin Gudgin [mailto:mgudgin@microsoft.com] Sent: Thursday, March 18, 2004 9:50 AM To: dave.prout@bt.com; wsi_secprofile@lists.ws-i.org Subject: [wsi_secprofile] RE: FW: WSS27 issue The assumption below regarding placement of the signature is incorrect. Our detached signatures are detached not because they appear in a separate XML document but because they are not enveloped or enveloping. They still appear in the same XML document as the Header or Body being signed. Gudge > -----Original Message----- > From: dave.prout@bt.com [mailto:dave.prout@bt.com] > Sent: 18 March 2004 08:08 > To: wsi_secprofile@lists.ws-i.org > Subject: [wsi_secprofile] FW: WSS27 issue > > Response from ebXML people > > -----Original Message----- > From: Jones,IC,Ian,XJH4 JONESI R > Sent: Thu 18/03/2004 15:54 > To: Prout,DA,Dave,XSJ67 PROUTDA R > Cc: > Subject: RE: [wsi_secprofile] WSS27 issue > > > Dave, > > what you wrote was sufficent. I have asked > the memebership to comment and I have attached some links to > the comments for you to see. The current view appears to be > that if WSI decides to have a sepearate signature (and we > assume it is in a seperate mime part) than we will write > future versions to either behaviour in a compatible manner or > we will estaet how and why we differ. We also have the > possibility to use the signature methods in our curent > version 2 in future versions for backward compatibility if > people want to use envelope signatures. Any further comments > will also appear on the listserver as those below which is > public readable. > > > http://lists.oasis-open.org/archives/ebxml-msg/200403/msg00022.html > > http://lists.oasis-open.org/archives/ebxml-msg/200403/msg00021.html > > http://lists.oasis-open.org/archives/ebxml-msg/200403/msg00019.html > > Regards > Ian Jones > > -----Original Message----- > From: Prout,DA,Dave,XSJ67 PROUTDA R > Sent: Thu 18/03/2004 15:21 > To: Jones,IC,Ian,XJH4 JONESI R > Cc: > Subject: RE: [wsi_secprofile] WSS27 issue > > > Ian, > > As I said, my Action Point is to write to the > relevant ebXML TC head to obtain feedback. I'm quite new to > this, is there a formal way I need to do this, or is my > previos note to you sufficient ? Or do I have to ask the > chair of my Working Group to write instead ? > > Thanks > > Dave Prout > > -----Original Message----- > From: Prout,DA,Dave,XSJ67 PROUTDA R > Sent: Tue 16/03/2004 18:35 > To: Jones,IC,Ian,XJH4 JONESI R > Cc: > Subject: RE: [wsi_secprofile] WSS27 issue > > > Ian, > > This is the relevant part from our Draft Profile > > > 8.1 General Constraints on XML Signature > > > 8.1.1 Use Detached Signatures > > > Due to the nature of the SOAP > processing model, which is based on recognising the elements > that are children of soap:Header and/or soap:Body use of > enveloping signatures, where the signed XML is encapsulated > in a ds:Signature element, is inappropriate. Similarly, the > definition of SOAP headers and body content will typically > not anticipate the presence of ds:Signature as a child > element, so enveloped signatures are also inappropriate. > Consequently this profile mandates use of detached signatures. > > R3102 XML Signatures in a MESSAGE MUST > be Detached Signatures as defined by the XML Signature specification. > > Neither enveloping nor enveloped > signatures are supported. > > Regards > > Dave > > > > -----Original Message----- > From: Prout,DA,Dave,XSJ67 PROUTDA R > Sent: Tue 16/03/2004 18:19 > To: Jones,IC,Ian,XJH4 JONESI R > Cc: > Subject: RE: [wsi_secprofile] > WSS27 issue > > > Ian, > > The debate is happening right > now. We want to say that you can only use detached > signatures, not enveloped or enveloping. Frederick from Nokia > is saying that some people want to used enveloped, signing > the whole SOAP envelope. But if you do that intermediaries > can't add headers. > > I've just been given an AP to > seek feedback from the ebXML community on this ! > > Thanks > > Dave > > -----Original Message----- > From: Jones,IC,Ian,XJH4 > JONESI R > Sent: Tue 16/03/2004 17:08 > To: Prout,DA,Dave,XSJ67 > PROUTDA R > Cc: > Subject: FW: > [wsi_secprofile] WSS27 issue > > > Dave, > > Martin > fowraded this to me as the Chir of the OASIS TC that wrote > the specification. I may not fully understand what the Nokia > guy is asking but here is how and why ebXML messaging works that way: > A need to sign the > entire message to detect tamper was required but as the SOAP > Actor="Next" was allowed and used by the spec so any item > that used this must be excluded as they may be removed or > added during an end to end process. Th levl of signature > needed to cover either the attache payload (out of scope) or > the complete header or both. > > People have never been > entirly satsisfied with this solution and vendors have made > some minor tweeks in their solutions (I have been told but > have seen or used any with signatures) > > We have a possible work > item for version 3 of the spec. to migrate to using the Web > services security features defined elsewhere. Exactly what > we would use and how are to be defined. If anyone wants to > give us suggestions or help we would appriciate it. > > Dave please come back > to me if I can shed any light on this 2 other people at the > meeting who can probably shed light on this (if they are > present) are Doug Bunting (Sun) and Dale Moberg (Cyclone > Commerece). If Chris Ferris (IBM) is present he could give > you the all the reasonsm he wrote that bit of the spec. when > he worked for Sun. > > Regards, > > Ian Jones > E-Commerece Engineer > > -----Original Message----- > From: Roberts,MME,Martin,XSG3 R > Sent: Tue 16/03/2004 16:48 > To: Jones,IC,Ian,XJH4 JONESI R > Cc: > Subject: FW: > [wsi_secprofile] WSS27 issue > > > Ian can you respond please > > > > Martin Roberts > xml designer, > BT Exact > e-mail: martin.me.roberts@bt.com > tel: +44(0) 1473 609785 > clickdial <http://clickdial.bt.co.uk/clickdial?001609785.cld> > fax: +44(0) 1473 609834 > Intranet Site > :http://twiki.btlabs.bt.co.uk/twiki > > -----Original Message----- > From: > Prout,DA,Dave,XSJ67 PROUTDA R > Sent: 16 March 2004 16:00 > To: Roberts,MME,Martin,XSG3 R > Subject: FW: > [wsi_secprofile] WSS27 issue > > > Martin, > > I'm at the WS-I Plenary > in Vancouver. I wondered if you could make sense of Nokia's > suggestion below ? > > Dave > > -----Original Message----- > From: > Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] > Sent: Mon 15/03/2004 20:50 > To: > wsi_secprofile@lists.ws-i.org > Cc: > Subject: > [wsi_secprofile] WSS27 issue > > > > > > >Enveloped signatures: > >Discussion back and > forth about whether signing entire message is > >useful. > >Frederick requests to > reopen WSS27. > > I note that ebXML > specifies a ds:Reference of "" to sign the entire SOAP > envelope in the ebXML Header part. This might > be an argument for > allowing enveloped signature so that ebXML could transition > to SOAP Message Security using the BSP profile. > > See line 1161 in > section 5.1.3 of > > > http://www.oasis-open.org/committees/download.php/5636/wd-ebMS > -2_1-02.pdf > > > regards, Frederick > > Frederick Hirsch > Nokia > > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]