[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ws-sx] security policy help for example C.3.2
Gudge Thanks, this makes sense. regards, Frederick Frederick Hirsch Nokia On Jul 21, 2006, at 7:48 AM, ext Martin Gudgin wrote: > Frederick, > > I've looked into this and believe that the presence of a reference to > the RecipientToken in the message signature in the example in C.3.2 is > erroneous and should be removed. (line 3346 in[1]) > > Similarly the presence of a reference to the InitiatorToken in the > message signature in the example in C.3.3 is erroneous and should be > removed. (line 3502 in [1]) > > The reason for these changes is that [Token Protection] protects the > token that created the signature, not all tokens in a message. > > In addition, I noticed that the sentence at line 3418-3420 in Section > C.3.3 of[1] that currently reads; > > If [Token Protection] is 'true' and the [Initiator Token] is > specified, > then the signature MUST also cover the [Initiator Token]. > > should read; > > If [Token Protection] is 'true' then the signature MUST also cover the > [Recipient Token]. > > Cheers > > Gudge > > [1] > http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/ > 18837/ws > -securitypolicy-1.2-spec-ed-01-r07.pd > > > >> -----Original Message----- >> From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com] >> Sent: 07 July 2006 22:48 >> To: ws-sx@lists.oasis-open.org >> Cc: Hirsch Frederick >> Subject: [ws-sx] security policy help for example C.3.2 >> >> ws-securitypolicy-1.2-spec-ed-01-r07-diff >> >> <http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/ >> 18836/ws-securitypolicy-1.2-spec-ed-01-r07-diff.doc> >> >> I need help understanding the message example in C3.2 which I >> believe >> is supposed to correspond to the policy in C3.1 >> >> Specifically I do not understand what policy element directed that >> RecipientToken be included with a ds:Reference in the message >> signature. >> >> To reiterate: >> Timestamp is always included, due to binding rules. >> SomeUsernameToken and SomeSupportingToken are included since any >> Signed?SupportingToken includes the token in the message >> reference list. >> InitiatorToken is included due to the ProtectTokens policy, which >> says that the token associated with the key used to generate the >> signature should be included as a reference. >> Header1, Header2 and Body are included since they are listed in >> SignedParts. >> >> Which policy directive causes RecipientToken to be included? >> >> If it is ProtectTokens then I need to raise an issue since the text >> isn't clear. If it isn't then why is RecipientToken in the >> ds:References list? >> >> regards, Frederick >> >> Frederick Hirsch >> Nokia >> >> >>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]