[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ebxml-msg] Signing SOAP with Attachments Messages Transform Confusion
This came up before and as far as I remember, Pim and Dale agreed that the spec needs to be corrected to reflect WSS 1.1. In other words, all the reference to Attachment-Content-Only transform needs to be replaced by Attachment-Content-Signature transform. AKIHISA(AKISA) SAKO Axway P: +1.480.627.1857 | F: +1.480.627.1801 6811 E. Mayo Blvd., Suite 400 Phoenix, Arizona 85054 asako@us.axway.com - http://www.axway.com -----Original Message----- From: ebxml-msg@lists.oasis-open.org [mailto:ebxml-msg@lists.oasis-open.org] On Behalf Of Theo Kramer Sent: Wednesday, August 14, 2013 2:09 AM To: ebxml-msg@lists.oasis-open.org Subject: [ebxml-msg] Signing SOAP with Attachments Messages Transform Confusion There seems to be some confusion in the AS4 profile regarding the transforms used in signing SWA messages Section 5.1.5 of the AS4 profile reads as follows Specification Reference: ebMS v3.0 Core Specification, Section 7.3 Profiling Rule (a): AS4 MSH implementations are REQUIRED to use the Attachment-Content-Only transform when building application payloads using SOAP with Attachments [SOAPATTACH]. The Attachment-Complete transform is not supported by this profile. And section 7.3 of the core spec reads as follows Application payloads that are are built in conformance with the [SOAPATTACH] specification may be signed. To sign a SOAP with Attachment message the Security element must be built in accordance with WSS 1.1. It is REQUIRED that compliant MSH implementations support the Attachment-Content-Only transform. It is RECOMMENDED that compliant MSH implementations support the Attachment-Complete transform. To ensure the integrity of the user-specified payload data and ebMS headers it is RECOMMENDED that the entire eb:Messaging Container Element, and all MIME Body parts of included payloads are included in the signature. Yet section 5.1.8 of the AS4 Profile reads as follows When signed receipts are requested in AS4 that make use of default conventions, the Sending message handler (i.e. the MSH sending messages for which signed receipts are expected) MUST identify message parts (referenced in eb:PartInfo elements in the received User Message) and MUST sign the SOAP body and all attachments using the http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform. and section 5.3.1 of the wss-v1.1 spec refers to the attachment-content-signature and attachment-complete-signature transforms only Further thoughts and clarification on the right canonicalisation transforms (and final URIs for these) would be most welcome -- Regards Theo --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]