OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-msg message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Created: (EBXMLMSG-25) Signing SOAP with Attachments Messages Transform Confusion

Signing SOAP with Attachments Messages Transform Confusion

                 Key: EBXMLMSG-25
                 URL: http://tools.oasis-open.org/issues/browse/EBXMLMSG-25
             Project: OASIS ebXML Messaging Services TC
          Issue Type: Improvement
          Components: AS4 Profile
            Reporter: Theo Kramer

WSS-SWA existed in a 1.0 version form until draft 21 on 6 June 2005. The first Oasis approved standard was version 1.1 on 1 Feb 2006. An update version 1.1.1 was approved as an OASIS standard on 18 May 2012. The URIs used for SWA identifiers and transform identifiers changed between 1.0 and 1.1, but appear unchanged in 1.1.1.

ebMS 3 section 7.3 ( 1 Oct 2007) references WSS 1.1 as the basis for building signatures. No references to WSS-SWA appear to be included in ebMS 3 core! [The transform URIs occur in the examples in 7.9.2 and elsewhere, but no references to the specification...]

In AS4 section 5.1.5 we find

"Profiling Rule (a): AS4 MSH implementations are REQUIRED to use the Attachment-Content-Only transform when building application payloads using SOAP with Attachments [SOAPATTACH]. The Attachment-Complete transform is not supported by this profile."

In both the 1.1 version of WSS-SWA, in the section 5.2.2 concerning encryption processing, step 3 says:

3. Set the <xenc:EncryptedData> Type attribute value to a URI that specifies adherence to this profile and that specifies what was encrypted (MIME content or entire MIME part including headers). The following URIs MUST be used for this purpose:

Content Only: 

Content and headers: 

The above identifiers are not really identifying "transforms" but mainly conformance to the WSS-SWA profile concerning what has been encrypted in the attachment (entity part minus the headers or the whole entity part (headers plus body))

So what URIs are involved when dealing with signatures of attachments? WSS-SWA does specify URIs that indicate actual transforms for the octets that are to be signed in sections 5.3.1 and 5.3.2.

"5.3.1 The Attachment-Content-Signature-Transform indicates that only the content of a MIME part is referenced for signing. This transform MUST be identified using the URI value:


"5.3.2 The Attachment-Complete-Signature-Transform indicates that both the content and selected headers of the MIME part are referenced for signing. This transform MUST be identified using the URI value:


This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]