Re: [ebxml-msg] RE: [wsi_secprofile] RE: FW: WSS27 issue

[Doug Bunting <Doug.Bunting@Sun.COM>]

Dale and Gudge,

Thank you for the clarification.  It may have been my misunderstanding that 
led to the idea we (the ebXML Messaging TC) would have to recommend putting 
a detached signature into a separate MIME part.  I came to that because I 
could not see (and still am not sure I understand) how to sign the entire 
SOAP envelope, less the signature and any soap:actor='next' headers, using 
a detached signature carried in the SOAP header itself.

The current (ebXML Messaging 2.0) approach is to use an enveloped signature 
and XSLT transform that removes the signature and parts intermediaries may 
change.  One approach using a detached signature would explicitly sign the 
individual SOAP headers of interest and the SOAP body but that approach 
would not result in a signature validation fault if an intermediary 
inserted a new SOAP header directed to the final destination.  I went from 
that not seeming to be the best option to putting a detached signature 
referencing the entire SOAP envelope (with a nearly identical XSLT 
'exclusion' transform to what is in the protocol today) into a separate 
MIME part.  What are some other options?

thanx,
	doug

On 18-Mar-04 10:27, Dale Moberg wrote:

> Hi Ian,
> 
> Gudge is right. 
> 
> EbMS is not assuming that the signature is in a separate MIME part. WSS
> defines a
> SOAP header block and whether using SWA or not, the wsse:security block
> is in the soap:envelope/soap:header contents.
> 
> Dale
> 
> -----Original Message-----
> From: Martin Gudgin [mailto:mgudgin@microsoft.com] 
> Sent: Thursday, March 18, 2004 9:50 AM
> To: dave.prout@bt.com; wsi_secprofile@lists.ws-i.org
> Subject: [wsi_secprofile] RE: FW: WSS27 issue
> 
> 
> The assumption below regarding placement of the signature is incorrect.
> Our detached signatures are detached not because they appear in a
> separate XML document but because they are not enveloped or enveloping.
> They still appear in the same XML document as the Header or Body being
> signed.
> 
> Gudge
> 
> 
>>-----Original Message-----
>>From: dave.prout@bt.com [mailto:dave.prout@bt.com]
>>Sent: 18 March 2004 08:08
>>To: wsi_secprofile@lists.ws-i.org
>>Subject: [wsi_secprofile] FW: WSS27 issue
>>
>>Response from ebXML people
>>
>>	-----Original Message----- 
>>	From: Jones,IC,Ian,XJH4 JONESI R 
>>	Sent: Thu 18/03/2004 15:54 
>>	To: Prout,DA,Dave,XSJ67 PROUTDA R 
>>	Cc: 
>>	Subject: RE: [wsi_secprofile] WSS27 issue
>>	
>>	
>>	Dave,
>>	 
>>	         what you wrote was sufficent.  I have asked
>>the memebership to comment and I have attached some links to 
>>the comments for you to see.  The current view appears to be 
>>that if WSI decides to have a sepearate signature (and we 
>>assume it is in a seperate mime part) than we will write 
>>future versions to either behaviour in a compatible manner or 
>>we will estaet how and why we differ.  We also have the 
>>possibility to use the signature methods in our curent 
>>version 2 in future versions for backward compatibility if 
>>people want to use envelope signatures.  Any further comments 
>>will also appear on the listserver as those below which is 
>>public readable.
>>	 
>>	
>>http://lists.oasis-open.org/archives/ebxml-msg/200403/msg00022.html
>>	
>>http://lists.oasis-open.org/archives/ebxml-msg/200403/msg00021.html
>>	
>>http://lists.oasis-open.org/archives/ebxml-msg/200403/msg00019.html
>>	 
>>	Regards
>>	Ian Jones
>>
>>		-----Original Message----- 
>>		From: Prout,DA,Dave,XSJ67 PROUTDA R 
>>		Sent: Thu 18/03/2004 15:21 
>>		To: Jones,IC,Ian,XJH4 JONESI R 
>>		Cc: 
>>		Subject: RE: [wsi_secprofile] WSS27 issue
>>		
>>		
>>		Ian,
>>		 
>>		As I said, my Action Point is to write to the
>>relevant ebXML TC head to obtain feedback. I'm quite new to 
>>this, is there a formal way I need to do this, or is my 
>>previos note to you sufficient ? Or do I have to ask the 
>>chair of my Working Group to write instead ?
>>		 
>>		Thanks
>>		 
>>		Dave Prout
>>
>>			-----Original Message----- 
>>			From: Prout,DA,Dave,XSJ67 PROUTDA R 
>>			Sent: Tue 16/03/2004 18:35 
>>			To: Jones,IC,Ian,XJH4 JONESI R 
>>			Cc: 
>>			Subject: RE: [wsi_secprofile] WSS27 issue
>>			
>>			
>>			Ian,
>>			 
>>			This is the relevant part from our Draft Profile
>>			 
>>
>>			8.1 General Constraints on XML Signature
>>
>>
>>			8.1.1 Use Detached Signatures
>>
>>
>>			Due to the nature of the SOAP
>>processing model, which is based on recognising the elements 
>>that are children of soap:Header and/or soap:Body use of 
>>enveloping signatures, where the signed XML is encapsulated 
>>in a ds:Signature element, is inappropriate. Similarly, the 
>>definition of SOAP headers and body content will typically 
>>not anticipate the presence of ds:Signature as a child 
>>element, so enveloped signatures are also inappropriate. 
>>Consequently this profile mandates use of detached signatures.
>>
>>			R3102 XML Signatures in a MESSAGE MUST
>>be Detached Signatures as defined by the XML Signature specification. 
>>
>>			Neither enveloping nor enveloped
>>signatures are supported.
>>
>>			Regards
>>
>>			Dave
>>
>>			 
>>
>>				-----Original Message----- 
>>				From: Prout,DA,Dave,XSJ67 PROUTDA R 
>>				Sent: Tue 16/03/2004 18:19 
>>				To: Jones,IC,Ian,XJH4 JONESI R 
>>				Cc: 
>>				Subject: RE: [wsi_secprofile]
>>WSS27 issue
>>				
>>				
>>				Ian,
>>				 
>>				The debate is happening right
>>now. We want to say that you can only use detached 
>>signatures, not enveloped or enveloping. Frederick from Nokia 
>>is saying that some people want to used enveloped, signing 
>>the whole SOAP envelope. But if you do that intermediaries 
>>can't add headers.
>>				 
>>				I've just been given an AP to
>>seek feedback from the ebXML community on this ! 
>>				 
>>				Thanks
>>				 
>>				Dave
>>
>>					-----Original Message----- 
>>					From: Jones,IC,Ian,XJH4
>>JONESI R 
>>					Sent: Tue 16/03/2004 17:08 
>>					To: Prout,DA,Dave,XSJ67 
>>PROUTDA R 
>>					Cc: 
>>					Subject: FW: 
>>[wsi_secprofile] WSS27 issue
>>					
>>					
>>					Dave,
>>					 
>>					         Martin
>>fowraded this to me as the Chir of the OASIS TC that wrote 
>>the specification.  I may not fully understand what the Nokia 
>>guy is asking but here is how and why ebXML messaging works that way:
>>					A need to sign the 
>>entire message to detect tamper was required but as the SOAP 
>>Actor="Next" was allowed and used by the spec so any item 
>>that used this must be excluded as they may be removed or 
>>added during an end to end process.  Th levl of signature 
>>needed to cover either the attache payload (out of scope) or 
>>the complete header or both.
>>					 
>>					People have never been
>>entirly satsisfied with this solution and vendors have made 
>>some minor tweeks in their solutions (I have been told but 
>>have seen or used any with signatures)
>>					 
>>					We have a possible work
>>item for version 3 of the spec. to migrate to using the Web 
>>services security features defined elsewhere.  Exactly what 
>>we would use and how are to be defined.  If anyone wants to 
>>give us suggestions or help we would appriciate it. 
>>					 
>>					Dave please come back
>>to me if I can shed any light on this 2 other people at the 
>>meeting who can probably shed light on this (if they are 
>>present) are Doug Bunting (Sun) and Dale Moberg (Cyclone 
>>Commerece).  If Chris Ferris (IBM) is present he could give 
>>you the all the reasonsm he wrote that bit of the spec. when 
>>he worked for Sun.
>>					 
>>					Regards,
>>					 
>>					Ian Jones
>>					E-Commerece Engineer
>>
>>					-----Original Message----- 
>>					From: Roberts,MME,Martin,XSG3 R 
>>					Sent: Tue 16/03/2004 16:48 
>>					To: Jones,IC,Ian,XJH4 JONESI R 
>>					Cc: 
>>					Subject: FW:
>>[wsi_secprofile] WSS27 issue
>>					
>>					
>>					Ian can you respond please
>>					 
>>					 
>>
>>					Martin Roberts
>>					xml designer,
>>					BT Exact
>>					e-mail: martin.me.roberts@bt.com
>>					tel: +44(0) 1473 609785
>> clickdial <http://clickdial.bt.co.uk/clickdial?001609785.cld> 
>>					fax: +44(0) 1473 609834
>>					Intranet Site 
>>:http://twiki.btlabs.bt.co.uk/twiki 
>>
>>					-----Original Message-----
>>					From:
>>Prout,DA,Dave,XSJ67 PROUTDA R 
>>					Sent: 16 March 2004 16:00
>>					To: Roberts,MME,Martin,XSG3 R
>>					Subject: FW: 
>>[wsi_secprofile] WSS27 issue
>>					
>>					
>>					Martin,
>>					 
>>					I'm at the WS-I Plenary
>>in Vancouver. I wondered if you could make sense of Nokia's 
>>suggestion below ?
>>					 
>>					Dave
>>
>>					-----Original Message----- 
>>					From:
>>Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] 
>>					Sent: Mon 15/03/2004 20:50 
>>					To: 
>>wsi_secprofile@lists.ws-i.org 
>>					Cc: 
>>					Subject: 
>>[wsi_secprofile] WSS27 issue
>>					
>>					
>>					
>>					
>>
>>					>Enveloped signatures:
>>					>Discussion back and
>>forth about whether signing entire message is
>>					>useful.
>>					>Frederick requests to 
>>reopen WSS27.
>>					
>>					I note that ebXML
>>specifies a ds:Reference of "" to sign the entire SOAP 
>>envelope in the ebXML Header part. This might
>>					be an argument for 
>>allowing enveloped signature so that ebXML could transition 
>>to SOAP Message Security using the BSP profile.
>>					
>>					See line 1161 in
>>section 5.1.3 of
>>
>>					
>>http://www.oasis-open.org/committees/download.php/5636/wd-ebMS
>>-2_1-02.pdf
>>
>>					
>>					regards, Frederick
>>					
>>					Frederick Hirsch
>>					Nokia
>>					
>>					
>>					
>>
>>
> 
> 
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/ebxml-msg/members/leave_workgroup.php.
>