Subject: REVISED Proposal: i016 sp:SignedParts mechanism
Revised Proposal: Note: Line numbers are form the version @ http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/17050/ws-securitypolicy-1.2-spec-ed-01-r04.doc Append the following text to the end of the section describing the /sp:SignedParts/sp:Header (lines 592-598): "This assertion only applies to SOAP header elements targeted to the same actor/role as the Security header impacted by the policy. If it is necessary to specify a requirement to sign specific SOAP Header elements targeted to a different actor/role, that may be accomplished using the sp:SignedElements assertion." Thanks, Mike Michael McIntosh/Watson/IBM@IBMUS wrote on 02/07/2006 09:40:10 AM: > Description > > Section 4.1.1 SignedParts provides a mechanism to specify which "parts" of > a message are required to be integrity protected. The current text > indicates that, for the sp:SignedParts element, "If no child elements are > specified, all message headers targeted at the UltimateReceiver role > [SOAP12] or actor [SOAP11] and the body of the message MUST be integrity > protected." However, it isn't clear whether sp:Header elements, when > specified, impact all matching header elements or only those targeted at > the UltimateReceiver. Also, there is currently no way to specify that a > header not targeted to UltimateReceiver must be signed. > > Proposal > > @ Line 575 > > Syntax > <sp:SignedParts ... > > <sp:Body />? > <sp:Header Name="xs:NCName"? Namespace="xs:anyURI" Target="xs:anyURI" > ... />* > ... > </sp:SignedParts> > > @ Line 599 > > /sp:SignedParts/sp:Header/@Name > This optional attribute indicates the local name of the SOAP header to be > integrity protected. If this attribute is not specified, all SOAP headers > whose namespace and target match the Namespace and Target attributes are > to be protected. > > /sp:SignedParts/sp:Header/@Namespace > This required attribute indicates the namespace of the SOAP header(s) to > be integrity protected. > > /sp:SignedParts/sp:Header/@Target > This optional attribute indicates the role [SOAP12] or actor [SOAP11] of > the SOAP header(s) to be integrity protected. If this attribute is not > specified, all SOAP headers targeted at the UltimateReceiver role [SOAP12] > or actor [SOAP11] whose namespace matches the Namespace attribute are to > be protected.