[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (EBXMLMSG-98) AS4 5.2.3, securing pull requests
Pim van der Eijk created EBXMLMSG-98:
----------------------------------------
Summary: AS4 5.2.3, securing pull requests
Key: EBXMLMSG-98
URL: https://issues.oasis-open.org/browse/EBXMLMSG-98
Project: OASIS ebXML Messaging Services TC
Issue Type: Bug
Components: AS4 Profile, Core Spec
Reporter: Pim van der Eijk
In section 5.2.3 of AS4 it is claimed that the header is configured using the
PMode[1].Security.X509. parameters:
"PMode[1].Security.X509.sign: (for option (b))
PMode[1].Security.X509.SignatureCertificate: (for option (b))"
"NOTE: in (b), the P-Mode parameters about X509 are controlling both the authentication of eb:PullRequest signals and authentication of other User
Messages".
But it is not possible to use the same parameters for signing both the (pulled) user message and the (pulling) pull request signal message. The pull request is signed by the initiator (receiver). The certificate used is the certificate of the initiator. The user message is signed by the responder (sender). The certificate used is the certificate of the responder.
So we need separate parameters to configure the two certificates.
(And "SignatureCertificate" should be "Signature.Certificate").
This is a follow on from https://issues.oasis-open.org/browse/EBXMLMSG-97. A separate issue is created as it relates to a different specificaion document.
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]