OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [ws-sx] security policy help for example C.3.2

Gudge

Thanks, this makes sense.

regards, Frederick

Frederick Hirsch
Nokia


On Jul 21, 2006, at 7:48 AM, ext Martin Gudgin wrote:

> Frederick,
>
> I've looked into this and believe that the presence of a reference to
> the RecipientToken in the message signature in the example in C.3.2 is
> erroneous and should be removed. (line 3346 in[1])
>
> Similarly the presence of a reference to the InitiatorToken in the
> message signature in the example in C.3.3 is erroneous and should be
> removed. (line 3502 in [1])
>
> The reason for these changes is that [Token Protection] protects the
> token that created the signature, not all tokens in a message.
>
> In addition, I noticed that the sentence at line 3418-3420 in Section
> C.3.3 of[1] that currently reads;
>
> If [Token Protection] is 'true' and the [Initiator Token] is  
> specified,
> then the signature MUST also cover the [Initiator Token].
>
> should read;
>
> If [Token Protection] is 'true' then the signature MUST also cover the
> [Recipient Token].
>
> Cheers
>
> Gudge
>
> [1]
> http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/ 
> 18837/ws
> -securitypolicy-1.2-spec-ed-01-r07.pd
>
>
>
>> -----Original Message-----
>> From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com]
>> Sent: 07 July 2006 22:48
>> To: ws-sx@lists.oasis-open.org
>> Cc: Hirsch Frederick
>> Subject: [ws-sx] security policy help for example C.3.2
>>
>> ws-securitypolicy-1.2-spec-ed-01-r07-diff
>>
>> <http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/
>> 18836/ws-securitypolicy-1.2-spec-ed-01-r07-diff.doc>
>>
>> I need help understanding the message example in C3.2 which I
>> believe
>> is supposed to correspond to the policy in C3.1
>>
>> Specifically I do not understand what policy element directed that
>> RecipientToken be included with a ds:Reference in the message
>> signature.
>>
>> To reiterate:
>> Timestamp is always included, due to binding rules.
>> SomeUsernameToken and SomeSupportingToken are included since any
>> Signed?SupportingToken includes the token in the message
>> reference list.
>> InitiatorToken is included due to the ProtectTokens policy, which
>> says that the token associated with the key used to generate the
>> signature should be included as a reference.
>> Header1, Header2 and Body are included since they are listed in
>> SignedParts.
>>
>> Which policy directive causes RecipientToken to be included?
>>
>> If it is ProtectTokens then I need to raise an issue since the text
>> isn't clear. If it isn't then why is RecipientToken in the
>> ds:References list?
>>
>> regards, Frederick
>>
>> Frederick Hirsch
>> Nokia
>>
>>
>>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]