OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-rx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [ws-rx] issue 115: clarifying question

I'm not saying it wouldn't be signed. I'm saying you have to remember to sign it with the same signature that you use to cover the element that is being extended. It's an additional step that results from the fact that you've split the mustUnderstand annotation into a separate element. If the mustUnderstand annotation existed as an attribute of the extension element it would automatically get signed when you signed the parent.
 
- gp

From: Christopher B Ferris [mailto:chrisfer@us.ibm.com]
Sent: Tuesday, April 25, 2006 5:45 AM
To: Gilbert Pilz
Cc: wsrx
Subject: RE: [ws-rx] issue 115: clarifying question


Gil,

Who sez that the foo:SecureRM header wouldn't be signed?

Cheers,

Christopher Ferris
STSM, Software Group Standards Strategy
email: chrisfer@us.ibm.com
blog: http://www.ibm.com/developerworks/blogs/dw_blog.jspa?blog=440
phone: +1 508 377 9295

"Gilbert Pilz" <Gilbert.Pilz@bea.com> wrote on 04/24/2006 11:29:30 PM:

> Another problem with this is that it complicates the security
> processing. Any time I have an extension that "significantly"
> modifies the semantics of the underlying operation (pretty much the
> definition of why I would want to use "mustUnderstand" in the first
> place) there is an implicit security threat if someone is able to
> strip off the "mustUnderstand" flag (however it's represented).
> Under your model every "foo:ExtensionFlag" header would have to be
> included in a signature that binds the header to the actual thing
> that is being extended (body or other header) together. Under the
> proposed solution the "wsrm:mustUnderstand" attribute would be
> signed along with the thing it is extending.
>  
> - gp
>
> From: Christopher B Ferris [mailto:chrisfer@us.ibm.com]
> Sent: Monday, April 24, 2006 6:07 PM
> To: Gilbert Pilz
> Cc: wsrx
> Subject: Re: [ws-rx] issue 115: clarifying question

>
> Gil,
>
> Actually, I had something more like this in mind:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope"
> xmlns:wsrm="http://docs.oasis-open.org/ws-rx/wsrm/200604"
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> wssecurity-secext-1.0.xsd"
> xmlns:foo="http://example.org/foo"
> xmlns:wsa="http://www.w3.org/2005/08/addressing">
> <S:Header>
>  <foo:SecureRM S:mustUnderstand="1"/>
>  <wsa:MessageID>
>   http://Business456.com/guid/0baaf88d-483b-4ecf-a6d8-a7c2eb546817
>  </wsa:MessageID>
>  <wsa:To>http://example.com/serviceB/123</wsa:To>
>    <wsa:Action>http://docs.oasis-open.org/ws-rx/wsrm/200604/CreateSequence
> </wsa:Action>
>  <wsa:ReplyTo>
>   <wsa:Address>http://Business456.com/serviceA/789</wsa:Address>
>  </wsa:ReplyTo>
> </S:Header>
> <S:Body>
>  <wsrm:CreateSequence>
>    <wsrm:AcksTo>
>      <wsa:Address>http://Business456.com/serviceA/789</wsa:Address>
>    </wsrm:AcksTo>
>    <wsse:SecurityTokenReference>
>      ...
>    </wsse:SecurityTokenReference>
>  </wsrm:CreateSequence>
> </S:Body>
> </S:Envelope>
>
> Cheers,
>
> Christopher Ferris
> STSM, Software Group Standards Strategy
> email: chrisfer@us.ibm.com
> blog: http://www.ibm.com/developerworks/blogs/dw_blog.jspa?blog=440
> phone: +1 508 377 9295
>
> "Gilbert Pilz" <Gilbert.Pilz@bea.com> wrote on 04/24/2006 05:41:23 PM:
>
> > During the conference call of 4/20/2006 Chris asserted that you can
> > use a SOAP header with a mustUnderstand attribute to flag the fact
> > that some element in either another header or in the message body is
> > an extension that must be understood by the receiver. I'm not sure I
> > understood exactly what Chris thought this should look like. For
> > example, imagine the following CreateSequence message. The extension
> > elements have been marked in bold. What is supposed to go in the
> > <wsrm:Extension> header?
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope"
> > xmlns:wsrm="http://docs.oasis-open.org/ws-rx/wsrm/200604"
> > xmlns:wsa="http://www.w3.org/2005/08/addressing">
> >  <S:Header>
> >   <wsrm:Extension S:mustUnderstand="1">
> >     ????
> >   </wsrm:Extension>
> >   <wsa:MessageID>
> >    http://Business456.com/guid/0baaf88d-483b-4ecf-a6d8-a7c2eb546817
> >   </wsa:MessageID>
> >   <wsa:To>http://example.com/serviceB/123</wsa:To>
> >     <wsa:Action>http://docs.oasis-open.org/ws-rx/wsrm/200604/CreateSequence
> > </wsa:Action>
> >   <wsa:ReplyTo>
> >    <wsa:Address>http://Business456.com/serviceA/789</wsa:Address>
> >   </wsa:ReplyTo>
> >  </S:Header>
> >  <S:Body>
> >   <wsrm:CreateSequence>
> >     <wsrm:AcksTo>
> >       <wsa:Address>http://Business456.com/serviceA/789</wsa:Address>
> >     </wsrm:AcksTo>
> >     <wsrm:SecurityComposition>
> >       <wsrm:Identifier>
> >         http://docs.oasis-open.org/ws-
> > rx/wsrmsp/200604/profile/http_auth/samenode
> >       </wsrm:Identifier>
> >     </wsrm:SecurityComposition>
> >   </wsrm:CreateSequence>
> >  </S:Body>
> > </S:Envelope>
> >
> > I'm sure that most of us could all come up with a reasonable design
> > to do what you suggest, but for the purposes of further discussion
> > I'd like to know what design Chris had in mind?
> >
> > - gp

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]