NEW Issue: Additional algorithm properties, assertions and references needed

[Frederick Hirsch <frederick.hirsch@nokia.com>]

PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL  
THE ISSUE IS ASSIGNED A NUMBER.
The issues coordinators will notify the list when that has occurred.

Protocol:  ws-sp

WS-SecurityPolicy 1.2, Editors Draft 01, 01 September 2006
ws-securitypolicy-1.2-spec-ed-10

<http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/ 
20579/ws-securitypolicy-1.2-spec-ed-01-r10.doc>

Artifact:  spec

Type: design

Title: Additional algorithm properties, assertions and references needed

Description:

a] Use of algorithms and properties needs additional material,  
specifically:

Section 7.1  Algorithm Suite Assertion provides means to set values  
of algorithm properties.
/sp:AlgorithmSuite/wsp:Policy/sp:InclusiveC14N can be used to set  
InclusiveC14N, default is stated to be ExclusiveC14N.

1. Should provide assertion to explicitly state ExclusiveC14N, with  
or without comments

2. Need means to state with or without comments, as a parameter of  
InclusiveC14N assertion.

3. Provide means to allow SOAP Message normalization with true mapped  
to 1 or reverse by providing parameter for /sp:AlgorithmSuite/ 
wsp:Policy/sp:SoapNormalization10 assertion.

4. Add signature algorithm property, to enable control over XML  
Signature use, for XML Signature versioning, also to control use e.g.  
to disallow Manifest usage.

b] normative references in section 1.5 required for algorithms  
specified in WS-SP, e.g. for SOAP Normalization

c] Add assertion to require canonicalization of entire SOAP message  
and to maintain this canonicalization

Related issues: none

Proposed Resolution:

(a) extend canonicalization algorithm definitions
(1) In 7.1 define Comments parameter for /sp:AlgorithmSuite/ 
wsp:Policy/sp:InclusiveC14N assertion.

/sp:AlgorithmSuite/wsp:Policy/sp:InclusiveC14N/@sp:WithComments

'true' with comments, 'false' without, not stated is 'false'

(2) in 7.1 define ExclusiveCanonicalization assertion to explicitly  
set c14N property for exclusive and allow or disallow comments

/sp:AlgorithmSuite/wsp:Policy/sp:ExclusiveC14N
/sp:AlgorithmSuite/wsp:Policy/sp:ExclusiveC14N/@sp:WithComments

'true' with comments, 'false' without, not stated is 'false'

(3) in 7.1 define TrueNormalization parameter for SoapNormalization  
(SNT) property as follows:

/sp:AlgorithmSuite/wsp:Policy/sp:SoapNormalization10/ 
@sp:TrueNormalization

If not provided, value is 'true', meaning map according to  
SOAPNormalization, 'relay' and 'mustUnderstand' from '1' to 'true'  
otherwise from 'true' to '1'.
Purpose is to allow SOAP normalization with WS-I Basic Profile  
compatibility see R1013,
<http://www.ws-i.org/Profiles/ 
BasicProfile-1.1.html#SOAP_mustUnderstand_Attribute>

(4) Add [XML Signature] algorithm property and associated assertion

/sp:AlgorithmSuite/wsp:Policy/sp:XMLSignature10
use XML Signature Rec 12 Feb 2002 (anticipate future revisions)
/sp:AlgorithmSuite/wsp:Policy/sp:XMLSignature10/@sp:NoManifest

disallow Manifest usage if 'true', if not stated is 'false'.

(b)
Add to section 1.5 reference to <http://www.w3.org/TR/soap12-n11n/>.  
Check for other normative references.

(c) add new section

6.8 [Message Canonicalization] Property and corresponding assertion

Property values:
None - default, no requirement for canonicalization of entire SOAP  
message
Canonicalized - XML Canonicalization applied to SOAP entire message
FullCanonicalized - soap message and xml canonicalization applied to  
entire SOAP message

Assertion:

/sp:MessageCanonicalization
/sp:MessageCanonicalization/wsp:Policy/sp:Canonicalized
/sp:MessageCanonicalization/wsp:Policy/sp:FullCanonicalized

both Canonicalized and FullCanonicalized nested assertions can take  
algorithmSuite SOAPNormalization and InclusiveC14N or ExclusiveC14N  
assertions.

They are also element and attribute extensible to allow for different  
requirements.

----

regards, Frederick

Frederick Hirsch
Nokia