Re: [ebxml-msg] RE: [wsi_secprofile] RE: FW: WSS27 issue

[Doug Bunting <Doug.Bunting@Sun.COM>]

Martin,

Thank you for your response.  At this point, I feel assured options are 
available to the ebXML Messaging TC.  I would appreciate some additional 
explanation however.

Your email certainly answers my question on other options but raises 
additional questions on how these slightly more complicated XPath 
transforms become more interoperable than an enveloped signature.  I am now 
wondering what the underlying issue is that the BSP WG has addressed.  That 
is, why is

<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";>
   <XPath> not ( 
ancestor-or-self::()[@SOAP:actor="urn:oasis:names:tc:ebxml-msg:actor:nextMSH"] 
|
ancestor-or-self::()[@SOAP:actor="http://schemas.xmlsoap.org/soap/actor/next";] 
)
   </XPath>
</Transform>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>

worse in some manner than

<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116";>
   <XPath> /soap:Envelope/soap:Header/*[count(@soap:actor) = 0 ***] |
/soap:Envelope/soap:Header/*[@soap:actor='http://schemas.xmlsoap.org/soap/ultimateReceiver'] 
| /soap:Envelope/soap:Body/*
   </XPath>
</Transform>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>

[1]?

I do understand that our current option signs the soap:Envelope, 
soap:Header and Soap:Body elements themselves.  The replacement could use 
"/soap:Envelope/soap:Body" (I guess) but cannot sign the envelope.  Now 
that I am thinking along these lines, the replacement could use the 
ancestor axis to exclude the signature: "| 
ancestor-or-self::()[/soap:Envelope/soap:Header/ds:Signature]" in the 
original "not" clause.  This would seem to be a more complete approximation 
of the original two transforms.  The fact that it signs the top level 
elements seems like a minor change (a slight security enhancement??) but 
the performance of using the ancestor axis so much might be a problem.  If 
so, our original clause would have been slow as well.  Do we have enough 
operational experience with various XPath transforms to compare these options?

thanx,
	doug

[1] Where "***" is some additional XPath syntax I am not looking up at the 
moment that excludes the ds:Signature Header(s).  (Something like "&& 
not(/soap:Envelope/soap:Header/ds:Signature)" perhaps?)

On 19-Mar-04 08:39, Martin Gudgin wrote:

> Using the WS-I BSP of WSS you can sign the entire envelope using the
> XPath transform to exclude the signature from the appropriate digest (
> yes, this really makes the signature an enveloped signature ). That
> said, we don't see signing the entire envelope as being a general use
> case, mainly because of headers targetted at intermediaries ( like your
> example of 'next' ). Signing the entire security header has similar
> issues.
> 
> That said, one could use an Xpath transform, e.g.
> (/soap:Envelope/soap:Header/* | /soap:Envelope/soap:Body/*) to build a
> digest that would detect insertion/deletion of headers.
> 
> One could use (/soap:Envelope/soap:Header/*[count(@soap:actor) = 0] |
> /soap:Envelope/soap:Header/*[@soap:actor='http://schemas.xmlsoap.org/soa
> p/ultimateReceiver'] ) to ensure that headers targetted at the ultimate
> receiver are not removed and that no additional headers are added.
> 
> Does this answer your question?
> 
> Gudge
> 
> 
>>-----Original Message-----
>>From: Doug.Bunting@Sun.COM [mailto:Doug.Bunting@Sun.COM] 
>>Sent: 18 March 2004 11:52
>>To: Dale Moberg
>>Cc: Martin Gudgin; dave.prout@bt.com; ebxml-msg@lists.oasis-open.org
>>Subject: Re: [ebxml-msg] RE: [wsi_secprofile] RE: FW: WSS27 issue
>>
>>Dale and Gudge,
>>
>>Thank you for the clarification.  It may have been my 
>>misunderstanding that led to the idea we (the ebXML Messaging 
>>TC) would have to recommend putting a detached signature into 
>>a separate MIME part.  I came to that because I could not see 
>>(and still am not sure I understand) how to sign the entire 
>>SOAP envelope, less the signature and any soap:actor='next' 
>>headers, using a detached signature carried in the SOAP header itself.
>>
>>The current (ebXML Messaging 2.0) approach is to use an 
>>enveloped signature and XSLT transform that removes the 
>>signature and parts intermediaries may change.  One approach 
>>using a detached signature would explicitly sign the 
>>individual SOAP headers of interest and the SOAP body but 
>>that approach would not result in a signature validation 
>>fault if an intermediary inserted a new SOAP header directed 
>>to the final destination.  I went from that not seeming to be 
>>the best option to putting a detached signature referencing 
>>the entire SOAP envelope (with a nearly identical XSLT 
>>'exclusion' transform to what is in the protocol today) into 
>>a separate MIME part.  What are some other options?
>>
>>thanx,
>>	doug
>>
>>On 18-Mar-04 10:27, Dale Moberg wrote:
>>
>>
>>>Hi Ian,
>>>
>>>Gudge is right. 
>>>
>>>EbMS is not assuming that the signature is in a separate MIME part. 
>>>WSS defines a SOAP header block and whether using SWA or not, the 
>>>wsse:security block is in the soap:envelope/soap:header contents.
>>>
>>>Dale
>>>
>>>-----Original Message-----
>>>From: Martin Gudgin [mailto:mgudgin@microsoft.com]
>>>Sent: Thursday, March 18, 2004 9:50 AM
>>>To: dave.prout@bt.com; wsi_secprofile@lists.ws-i.org
>>>Subject: [wsi_secprofile] RE: FW: WSS27 issue
>>>
>>>
>>>The assumption below regarding placement of the signature 
>>
>>is incorrect.
>>
>>>Our detached signatures are detached not because they appear in a 
>>>separate XML document but because they are not enveloped or 
>>
>>enveloping.
>>
>>>They still appear in the same XML document as the Header or 
>>
>>Body being 
>>
>>>signed.
>>>
>>>Gudge
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: dave.prout@bt.com [mailto:dave.prout@bt.com]
>>>>Sent: 18 March 2004 08:08
>>>>To: wsi_secprofile@lists.ws-i.org
>>>>Subject: [wsi_secprofile] FW: WSS27 issue
>>>>
>>>>Response from ebXML people
>>>>
>>>>	-----Original Message----- 
>>>>	From: Jones,IC,Ian,XJH4 JONESI R 
>>>>	Sent: Thu 18/03/2004 15:54 
>>>>	To: Prout,DA,Dave,XSJ67 PROUTDA R 
>>>>	Cc: 
>>>>	Subject: RE: [wsi_secprofile] WSS27 issue
>>>>	
>>>>	
>>>>	Dave,
>>>>	 
>>>>	         what you wrote was sufficent.  I have asked 
>>
>>the memebership 
>>
>>>>to comment and I have attached some links to the comments 
>>
>>for you to 
>>
>>>>see.  The current view appears to be that if WSI decides to have a 
>>>>sepearate signature (and we assume it is in a seperate mime 
>>
>>part) than 
>>
>>>>we will write future versions to either behaviour in a compatible 
>>>>manner or we will estaet how and why we differ.  We also have the 
>>>>possibility to use the signature methods in our curent version 2 in 
>>>>future versions for backward compatibility if people want to use 
>>>>envelope signatures.  Any further comments will also appear on the 
>>>>listserver as those below which is public readable.
>>>>	 
>>>>	
>>>>http://lists.oasis-open.org/archives/ebxml-msg/200403/msg00022.html
>>>>	
>>>>http://lists.oasis-open.org/archives/ebxml-msg/200403/msg00021.html
>>>>	
>>>>http://lists.oasis-open.org/archives/ebxml-msg/200403/msg00019.html
>>>>	 
>>>>	Regards
>>>>	Ian Jones
>>>>
>>>>		-----Original Message----- 
>>>>		From: Prout,DA,Dave,XSJ67 PROUTDA R 
>>>>		Sent: Thu 18/03/2004 15:21 
>>>>		To: Jones,IC,Ian,XJH4 JONESI R 
>>>>		Cc: 
>>>>		Subject: RE: [wsi_secprofile] WSS27 issue
>>>>		
>>>>		
>>>>		Ian,
>>>>		 
>>>>		As I said, my Action Point is to write to the 
>>
>>relevant ebXML TC head 
>>
>>>>to obtain feedback. I'm quite new to this, is there a formal way I 
>>>>need to do this, or is my previos note to you sufficient ? Or do I 
>>>>have to ask the chair of my Working Group to write instead ?
>>>>		 
>>>>		Thanks
>>>>		 
>>>>		Dave Prout
>>>>
>>>>			-----Original Message----- 
>>>>			From: Prout,DA,Dave,XSJ67 PROUTDA R 
>>>>			Sent: Tue 16/03/2004 18:35 
>>>>			To: Jones,IC,Ian,XJH4 JONESI R 
>>>>			Cc: 
>>>>			Subject: RE: [wsi_secprofile] WSS27 issue
>>>>			
>>>>			
>>>>			Ian,
>>>>			 
>>>>			This is the relevant part from our Draft Profile
>>>>			 
>>>>
>>>>			8.1 General Constraints on XML Signature
>>>>
>>>>
>>>>			8.1.1 Use Detached Signatures
>>>>
>>>>
>>>>			Due to the nature of the SOAP
>>>>processing model, which is based on recognising the 
>>
>>elements that are 
>>
>>>>children of soap:Header and/or soap:Body use of enveloping 
>>
>>signatures, 
>>
>>>>where the signed XML is encapsulated in a ds:Signature element, is 
>>>>inappropriate. Similarly, the definition of SOAP headers and body 
>>>>content will typically not anticipate the presence of 
>>
>>ds:Signature as 
>>
>>>>a child element, so enveloped signatures are also inappropriate.
>>>>Consequently this profile mandates use of detached signatures.
>>>>
>>>>			R3102 XML Signatures in a MESSAGE MUST 
>>
>>be Detached Signatures as 
>>
>>>>defined by the XML Signature specification.
>>>>
>>>>			Neither enveloping nor enveloped
>>>>signatures are supported.
>>>>
>>>>			Regards
>>>>
>>>>			Dave
>>>>
>>>>			 
>>>>
>>>>				-----Original Message----- 
>>>>				From: Prout,DA,Dave,XSJ67 PROUTDA R 
>>>>				Sent: Tue 16/03/2004 18:19 
>>>>				To: Jones,IC,Ian,XJH4 JONESI R 
>>>>				Cc: 
>>>>				Subject: RE: [wsi_secprofile]
>>>>WSS27 issue
>>>>				
>>>>				
>>>>				Ian,
>>>>				 
>>>>				The debate is happening right
>>>>now. We want to say that you can only use detached signatures, not 
>>>>enveloped or enveloping. Frederick from Nokia is saying that some 
>>>>people want to used enveloped, signing the whole SOAP 
>>
>>envelope. But if 
>>
>>>>you do that intermediaries can't add headers.
>>>>				 
>>>>				I've just been given an AP to
>>>>seek feedback from the ebXML community on this ! 
>>>>				 
>>>>				Thanks
>>>>				 
>>>>				Dave
>>>>
>>>>					-----Original Message----- 
>>>>					From: Jones,IC,Ian,XJH4
>>>>JONESI R 
>>>>					Sent: Tue 16/03/2004 17:08 
>>>>					To: Prout,DA,Dave,XSJ67
>>>>PROUTDA R 
>>>>					Cc: 
>>>>					Subject: FW: 
>>>>[wsi_secprofile] WSS27 issue
>>>>					
>>>>					
>>>>					Dave,
>>>>					 
>>>>					         Martin
>>>>fowraded this to me as the Chir of the OASIS TC that wrote the 
>>>>specification.  I may not fully understand what the Nokia guy is 
>>>>asking but here is how and why ebXML messaging works that way:
>>>>					A need to sign the
>>>>entire message to detect tamper was required but as the SOAP 
>>>>Actor="Next" was allowed and used by the spec so any item that used 
>>>>this must be excluded as they may be removed or added 
>>
>>during an end to 
>>
>>>>end process.  Th levl of signature needed to cover either 
>>
>>the attache 
>>
>>>>payload (out of scope) or the complete header or both.
>>>>					 
>>>>					People have never been
>>>>entirly satsisfied with this solution and vendors have made 
>>
>>some minor 
>>
>>>>tweeks in their solutions (I have been told but have seen 
>>
>>or used any 
>>
>>>>with signatures)
>>>>					 
>>>>					We have a possible work
>>>>item for version 3 of the spec. to migrate to using the Web 
>>
>>services 
>>
>>>>security features defined elsewhere.  Exactly what we would use and 
>>>>how are to be defined.  If anyone wants to give us 
>>
>>suggestions or help 
>>
>>>>we would appriciate it.
>>>>					 
>>>>					Dave please come back
>>>>to me if I can shed any light on this 2 other people at the meeting 
>>>>who can probably shed light on this (if they are
>>>>present) are Doug Bunting (Sun) and Dale Moberg (Cyclone 
>>
>>Commerece).  
>>
>>>>If Chris Ferris (IBM) is present he could give you the all the 
>>>>reasonsm he wrote that bit of the spec. when he worked for Sun.
>>>>					 
>>>>					Regards,
>>>>					 
>>>>					Ian Jones
>>>>					E-Commerece Engineer
>>>>
>>>>					-----Original Message----- 
>>>>					From: Roberts,MME,Martin,XSG3 R 
>>>>					Sent: Tue 16/03/2004 16:48 
>>>>					To: Jones,IC,Ian,XJH4 JONESI R 
>>>>					Cc: 
>>>>					Subject: FW:
>>>>[wsi_secprofile] WSS27 issue
>>>>					
>>>>					
>>>>					Ian can you respond please
>>>>					 
>>>>					 
>>>>
>>>>					Martin Roberts
>>>>					xml designer,
>>>>					BT Exact
>>>>					e-mail: martin.me.roberts@bt.com
>>>>					tel: +44(0) 1473 609785
>>>>clickdial <http://clickdial.bt.co.uk/clickdial?001609785.cld> 
>>>>					fax: +44(0) 1473 609834
>>>>					Intranet Site
>>>>:http://twiki.btlabs.bt.co.uk/twiki
>>>>
>>>>					-----Original Message-----
>>>>					From:
>>>>Prout,DA,Dave,XSJ67 PROUTDA R 
>>>>					Sent: 16 March 2004 16:00
>>>>					To: Roberts,MME,Martin,XSG3 R
>>>>					Subject: FW: 
>>>>[wsi_secprofile] WSS27 issue
>>>>					
>>>>					
>>>>					Martin,
>>>>					 
>>>>					I'm at the WS-I Plenary
>>>>in Vancouver. I wondered if you could make sense of Nokia's 
>>
>>suggestion 
>>
>>>>below ?
>>>>					 
>>>>					Dave
>>>>
>>>>					-----Original Message----- 
>>>>					From:
>>>>Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] 
>>>>					Sent: Mon 15/03/2004 20:50 
>>>>					To: 
>>>>wsi_secprofile@lists.ws-i.org 
>>>>					Cc: 
>>>>					Subject: 
>>>>[wsi_secprofile] WSS27 issue
>>>>					
>>>>					
>>>>					
>>>>					
>>>>
>>>>					>Enveloped signatures:
>>>>					>Discussion back and
>>>>forth about whether signing entire message is
>>>>					>useful.
>>>>					>Frederick requests to
>>>>reopen WSS27.
>>>>					
>>>>					I note that ebXML
>>>>specifies a ds:Reference of "" to sign the entire SOAP 
>>
>>envelope in the 
>>
>>>>ebXML Header part. This might
>>>>					be an argument for
>>>>allowing enveloped signature so that ebXML could transition to SOAP 
>>>>Message Security using the BSP profile.
>>>>					
>>>>					See line 1161 in
>>>>section 5.1.3 of
>>>>
>>>>					
>>>>http://www.oasis-open.org/committees/download.php/5636/wd-ebMS
>>>>-2_1-02.pdf
>>>>
>>>>					
>>>>					regards, Frederick
>>>>					
>>>>					Frederick Hirsch
>>>>					Nokia
>>>>					
>>>>					
>>>>					
>>>>
>>>>
>>>
>>>
>>>To unsubscribe from this mailing list (and be removed from 
>>
>>the roster of the OASIS TC), go to 
>>http://www.oasis-open.org/apps/org/workgroup/ebxml-msg/members
>>/leave_workgroup.php.
>>