[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx] RE: Issue 90: Description of Strict Formatting seems wrong for EncryptedKey
Martin Gudgin wrote: > I believe that you are correct that 6.7.1 clause 4 is incorrect when > applied generally to asymmetric bindings. The easiest fix is probably to > remove the words 'top level' from line 1503 of [1]. I think it would be clearer to change clause 4 to say: 4. If there are any encrypted elements in the message then a top level xenc:ReferenceList element or a top level xenc:EncryptedKey element which contains a xenc:ReferenceList element MUST be present in the security header. The xenc:ReferenceList or xenc:EncryptedKey MUST occur before any xenc:EncryptedData elements in the security header that are referenced from the reference list. However, the xenc:ReferenceList or xenc:EncryptedKey is not required to appear before independently encrypted tokens such as the xenc:EncryptedKey token as defined in WSS. > > Did you also look at Appendix C.3 (which I think is more detailed than > 6.7.1 and applies directly to the Asymmetric Binding)? In general I think it is poor practice to expect the reader to deduce processing rules from examples, which necessarily must show only a single instance. As I mentioned on a previous call, I think it would be useful to have some shorter, simpler examples. The current "kitchen sink" examples have so many moving parts it is hard to see what bit of policy drives what part of the message. An alternative (but I admit it would be a lot of work) would be to annotate every few lines of the message to indicate exactly which lines in the policies were responsible for causing them to be included. Hal > > Regards > > Gudge > > [1] > http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/18836/ws > -securitypolicy-1.2-spec-ed-01-r07-diff.doc > > > -----Original Message----- > > From: Hal Lockhart [mailto:hlockhar@bea.com] > > Sent: 18 July 2006 15:18 > > To: Marc Goodner; ws-sx@lists.oasis-open.org > > Subject: [ws-sx] RE: Issue 90: Description of Strict > > Formatting seems wrong for EncryptedKey > > > > As I mentioned on the last call, the WS-I Basic Security Profile was > > written assuming that either a ReferenceList or an EncryptedKey would > > appear at the top level for each encryption step, but not both. See > > especially section 6.1 and section 10 of that document. > > > > http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html > > > > Hal > > > > > -----Original Message----- > > > From: Marc Goodner [mailto:mgoodner@microsoft.com] > > > Sent: Tuesday, July 11, 2006 1:59 PM > > > To: Hal Lockhart; ws-sx@lists.oasis-open.org > > > Subject: Issue 90: Description of Strict Formatting seems wrong for > > > EncryptedKey > > > > > > Issue 90. > > > > > > -----Original Message----- > > > From: Hal Lockhart [mailto:hlockhar@bea.com] > > > Sent: Tuesday, July 11, 2006 7:59 AM > > > To: ws-sx@lists.oasis-open.org > > > Cc: Marc Goodner > > > Subject: NEW Issue: Description of Strict Formatting seems wrong for > > > EncryptedKey > > > > > > PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON > > THREAD UNTIL > > > THE ISSUE IS ASSIGNED A NUMBER. > > > The issues coordinators will notify the list when that has occurred. > > > > > > Protocol: ws-sp > > > > > > > > http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.ph > > p/18837/ws > > > -securitypolicy-1.2-spec-ed-01-r07.pdf > > > > > > Artifact: spec > > > > > > Type: > > > > > > design > > > > > > Title: > > > > > > Rules for strict format of security element seem incorrect > > in the case > > > of encrypted key used with Asymmetric Key. It is my > > understanding that > > > for every encryption, there will either be a ReferenceList (for > > > Symmetric) or an EncryptedKey (for Asymmetric). However, the rules > > seem > > > to require a tope level ReferenceList even when an EncryptedKey is > > > present. This causes implementation problems, especially > > for WSS 1.0. > > > > > > Description: > > > > > > Section 6.7.1 (lines 1528-1536) say: > > > > > > ---- > > > 4. If there are any encrypted elements in the message then a top > > > level xenc:ReferenceList element MUST be present in the security > > header. > > > The xenc:ReferenceList MUST occur before any xenc:EncryptedData > > elements > > > in the security header that are referenced from the reference list. > > > However, the xenc:ReferenceList is not required to appear before > > > independently encrypted tokens such as the > > xenc:EncryptedKey token as > > > defined in WSS. > > > 5. An xenc:EncryptedKey element without an internal reference > list > > > [WSS: SOAP Message Security 1.1] MUST obey rule (1). An > > > xenc:EncryptedKey element with an internal reference list MUST > > > additionally obey rule (4). > > > ---- > > > > > > But my understanding is that you use either an EncryptedKey or a > > > ReferenceList, but not both. If this is not a simple error, but > > > intentional, I will provide information about implementation > > > difficulties. > > > > > > > > > Related issues: > > > > > > > > > > > > Proposed Resolution: > > > > > > Change #4 to say ReferenceList or Encrypted Key. > > > > > > Hal > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]