[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: WSS1.0 vs WSS 1.1
Summary of the issue around WSS1.0/1.1 and (high level) proposal:
- Not many WSS1.1 implementations out there, compared to WSS1.0. Not much hint on upgrades to come (e.g. WSS4J).
- but security of attachments is supported by WSS1.1, not 1.0.
(1) the body of the specification will describe support for both WSS1.0 and WSS 1.1, along with the basic rule that over req-resp MEPs, the response must reuse by default the same version as the request.
(2) The gateway conformance profile (GCP1) will require support for both WSS1.0, and WSS1.1. In particular, WSS1.1 is required when signing attacht. Double support is generally not an issue: the advanced version also supports a previous version.
(3) In the run-time agreement - meaning at MSH level in the processing mode - the WSS version to be used for a business transaction between 2 partners is specified in the associated P-mode. This means that implementations that do not fully conform to GCP1 and only support WSS1.0, can still control their interoperability space by the means of the P-mode - e.g. only accepting - or requiring - agreements (and P-modes) with WSS1.0.
So which WSS version to use will be a parameter of the agreement between 2 parties. All MSHs will support WSS1.0 when sending/receiving, so this is the baseline for interoperability. Those transactions that need attacht security will specify this as part of the agreement / P-mode. It automatically means using WSS1.1. Over time, more MSHs will "fully conform" to GCP1, and support for WSS1.0 will be deprecated, without a need to upgrade the spec or the conf profile.