OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-msg message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [OASIS Issue Tracker] Updated: (EBXMLMSG-25) Signing SOAP with Attachments Messages Transform Confusion


     [ http://tools.oasis-open.org/issues/browse/EBXMLMSG-25?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sander Fieten updated EBXMLMSG-25:
----------------------------------

    Proposal: 
The transform to be used in profiling rule (a) of section 5.1.5 of the AS4 Profile should be  http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform as per the
transform in section 5.3.1 of the wss-v1.1 (and wss-v1.1.1) spec. 


  was:
The transform to be used in profiling rule (a) of section 5.1.5 of the AS4 Profile should be  http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform as per the
transform in section 5.3.1 of the wss-v1.1 (and wss-v1.1.1) spec. 

More important, AS4 section 5.1.5 is about signing attachments. The 5.1.5 profiling rule (a) should really be somewhere in section 5.1.7 of AS4. AS4 MSH implementations are REQUIRED to use the Attachment-Content-Only identifier.

If there is consensus, we should also correct the bibliography to mention the WSS-SWA profiles in ebMS core.
(Thanks Dale).


As the transform for encryption has now it own issue (#28) the proposal is changed to only update section 5.1.5 on signing SwA messages.

Also adding the WSS-SWA reference to the core spec is now a separate issue.

> Signing SOAP with Attachments Messages Transform Confusion
> ----------------------------------------------------------
>
>                 Key: EBXMLMSG-25
>                 URL: http://tools.oasis-open.org/issues/browse/EBXMLMSG-25
>             Project: OASIS ebXML Messaging Services TC
>          Issue Type: Improvement
>          Components: AS4 Profile
>            Reporter: Theo Kramer
>
> WSS-SWA existed in a 1.0 version form until draft 21 on 6 June 2005. The first Oasis approved standard was version 1.1 on 1 Feb 2006. An update version 1.1.1 was approved as an OASIS standard on 18 May 2012. The URIs used for SWA identifiers and transform identifiers changed between 1.0 and 1.1, but appear unchanged in 1.1.1.
> ebMS 3 section 7.3 ( 1 Oct 2007) references WSS 1.1 as the basis for building signatures. No references to WSS-SWA appear to be included in ebMS 3 core! [The transform URIs occur in the examples in 7.9.2 and elsewhere, but no references to the specification...]
> In AS4 section 5.1.5 we find
> "Profiling Rule (a): AS4 MSH implementations are REQUIRED to use the Attachment-Content-Only transform when building application payloads using SOAP with Attachments [SOAPATTACH]. The Attachment-Complete transform is not supported by this profile."
> In both the 1.1 version of WSS-SWA, in the section 5.2.2 concerning encryption processing, step 3 says:
> 3. Set the <xenc:EncryptedData> Type attribute value to a URI that specifies adherence to this profile and that specifies what was encrypted (MIME content or entire MIME part including headers). The following URIs MUST be used for this purpose:
> Content Only: 
> http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Only
> Content and headers: 
> http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete
> The above identifiers are not really identifying "transforms" but mainly conformance to the WSS-SWA profile concerning what has been encrypted in the attachment (entity part minus the headers or the whole entity part (headers plus body))
> So what URIs are involved when dealing with signatures of attachments? WSS-SWA does specify URIs that indicate actual transforms for the octets that are to be signed in sections 5.3.1 and 5.3.2.
> "5.3.1 The Attachment-Content-Signature-Transform indicates that only the content of a MIME part is referenced for signing. This transform MUST be identified using the URI value:
> http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform
> "5.3.2 The Attachment-Complete-Signature-Transform indicates that both the content and selected headers of the MIME part are referenced for signing. This transform MUST be identified using the URI value:
> http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]