Subject: Issue 32: Identity security header components that are encrypted when using (A)Symmetric binding
This is now tracked as issue 32. Marc Goodner Technical Diplomat Microsoft Corporation Tel: (425) 703-1903 Blog: http://spaces.msn.com/mrgoodner/ -----Original Message----- From: Prateek Mishra [mailto:firstname.lastname@example.org] Sent: Friday, February 17, 2006 12:43 PM To: email@example.com Subject: [ws-sx] NEW Issue: Identity security header components that are encrypted when using (A)Symmetric binding *PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER. * *The issues coordinators will notify the list when that has occurred.* * * Protocol: ws-sp WS-SecurityPolicy Artifact: spec Type: editorial Title: Identify security header components that are encrypted Description: It appears that use of the SymmetricBinding and Asymmetric binding assertion implies encryption over several components of the security header, including the timestamp, Supporting tokens and SignedSupporting tokens. This is not stated in the specification but can be gleaned from the construction given in Appendix C. It would be helpful to implementors if this was made explicit in Sections 7.3 and 7.4 Related issues: [numbers of related issues, if any] Proposed Resolution: Add the following sentence to Sections 7.4 (at end of first paragraph) and 7.5 (at end of first paragraph): Use of this binding assertion implies that the following tokens, if present in the security header of the request or response message, MUST be encrypted: timestamp, Supporting tokens and SignedSupporting tokens.