OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-msg message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [ebxml-msg] Signing SOAP with Attachments Messages Transform Confusion

This came up before and as far as I remember, Pim and Dale agreed that the spec needs to be corrected to reflect WSS 1.1. In other words, all the reference to Attachment-Content-Only transform needs to be replaced by Attachment-Content-Signature transform.

P: +1.480.627.1857 | F: +1.480.627.1801
6811 E. Mayo Blvd., Suite 400
Phoenix, Arizona 85054
asako@us.axway.com - http://www.axway.com

-----Original Message-----
From: ebxml-msg@lists.oasis-open.org [mailto:ebxml-msg@lists.oasis-open.org] On Behalf Of Theo Kramer
Sent: Wednesday, August 14, 2013 2:09 AM
To: ebxml-msg@lists.oasis-open.org
Subject: [ebxml-msg] Signing SOAP with Attachments Messages Transform Confusion

There seems to be some confusion in the AS4 profile regarding the transforms used in signing SWA messages

Section 5.1.5 of the AS4 profile reads as follows

  Specification Reference: ebMS v3.0 Core Specification, Section 7.3

  Profiling Rule (a): AS4 MSH implementations are REQUIRED to use the Attachment-Content-Only transform when building application payloads using SOAP with Attachments [SOAPATTACH]. The Attachment-Complete transform is not supported by this profile.

And section 7.3 of the core spec reads as follows

  Application payloads that are are built in conformance with the [SOAPATTACH] specification may be signed. To sign a SOAP with Attachment message the Security element must be built in   accordance with WSS 1.1. It is REQUIRED that compliant MSH implementations support the Attachment-Content-Only transform. It is RECOMMENDED that compliant MSH implementations   support the Attachment-Complete transform. To ensure the integrity of the user-specified payload data and ebMS headers it is RECOMMENDED that the entire eb:Messaging Container Element,   and all MIME Body parts of included payloads are included in the signature.

Yet section 5.1.8 of the AS4 Profile reads as follows

  When signed receipts are requested in AS4 that make use of default conventions, the Sending message handler (i.e. the MSH sending messages for which signed receipts are expected)   MUST identify message parts (referenced in eb:PartInfo elements in the received User Message) and MUST sign the SOAP body and all attachments using the   http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform.

and section 5.3.1 of the wss-v1.1 spec refers to the attachment-content-signature and attachment-complete-signature transforms only  

Further thoughts and clarification on the right canonicalisation transforms (and final URIs for these) would be most welcome


To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]