RE: [ws-sx] Issue 114: Additional algorithm properties, assertionsand references needed

[Martin Gudgin <mgudgin@microsoft.com>]

Frederick,

I'm sorry this is so late. Here are my comments/questions;

a1.     I don't see the need for an explicit assertion to indicate Exclusive C14N without comments. The current design works fine in terms of policy matching.

a2.     I don't see the need to support WithComments versions of either Exclusive or Inclusive C14N. As and when such a need arises, assertions could be defined at that point (i.e. outside this TC)

a3.     I don't understand this item. The SOAP Normalization Transform defines the mapping of boolean attributes such as soap12:mustUnderstand as "1" -> "true". If you don't perform that mapping, you are not using the SOAP Normalization Transform...

a4.     I don't see a need for such a property at this point. Again, if a need arises in the future a property ( and associated assertions ) can be defined.

b.      I agree we should have references to the various specs.

c.      I don't see a need for this either. Again if such a need arose a property and assertions could be defined at that point.

Gudge



-----Original Message-----
From: Marc Goodner [mailto:mgoodner@microsoft.com]
Sent: Thursday, October 05, 2006 9:29 AM
To: Frederick Hirsch; WS-SX OASIS
Subject: [ws-sx] Issue 114: Additional algorithm properties, assertions and references needed

Issue 114

-----Original Message-----
From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com]
Sent: Thursday, October 05, 2006 6:31 AM
To: WS-SX OASIS
Cc: Hirsch Frederick; Marc Goodner
Subject: NEW Issue: Additional algorithm properties, assertions and references needed

PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL
THE ISSUE IS ASSIGNED A NUMBER.
The issues coordinators will notify the list when that has occurred.

Protocol:  ws-sp

WS-SecurityPolicy 1.2, Editors Draft 01, 01 September 2006
ws-securitypolicy-1.2-spec-ed-10

<http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/
20579/ws-securitypolicy-1.2-spec-ed-01-r10.doc>

Artifact:  spec

Type: design

Title: Additional algorithm properties, assertions and references needed

Description:

a] Use of algorithms and properties needs additional material,
specifically:

Section 7.1  Algorithm Suite Assertion provides means to set values
of algorithm properties.
/sp:AlgorithmSuite/wsp:Policy/sp:InclusiveC14N can be used to set
InclusiveC14N, default is stated to be ExclusiveC14N.

1. Should provide assertion to explicitly state ExclusiveC14N, with
or without comments

2. Need means to state with or without comments, as a parameter of
InclusiveC14N assertion.

3. Provide means to allow SOAP Message normalization with true mapped
to 1 or reverse by providing parameter for /sp:AlgorithmSuite/
wsp:Policy/sp:SoapNormalization10 assertion.

4. Add signature algorithm property, to enable control over XML
Signature use, for XML Signature versioning, also to control use e.g.
to disallow Manifest usage.

b] normative references in section 1.5 required for algorithms
specified in WS-SP, e.g. for SOAP Normalization

c] Add assertion to require canonicalization of entire SOAP message
and to maintain this canonicalization

Related issues: none

Proposed Resolution:

(a) extend canonicalization algorithm definitions
(1) In 7.1 define Comments parameter for /sp:AlgorithmSuite/
wsp:Policy/sp:InclusiveC14N assertion.

/sp:AlgorithmSuite/wsp:Policy/sp:InclusiveC14N/@sp:WithComments

'true' with comments, 'false' without, not stated is 'false'

(2) in 7.1 define ExclusiveCanonicalization assertion to explicitly
set c14N property for exclusive and allow or disallow comments

/sp:AlgorithmSuite/wsp:Policy/sp:ExclusiveC14N
/sp:AlgorithmSuite/wsp:Policy/sp:ExclusiveC14N/@sp:WithComments

'true' with comments, 'false' without, not stated is 'false'

(3) in 7.1 define TrueNormalization parameter for SoapNormalization
(SNT) property as follows:

/sp:AlgorithmSuite/wsp:Policy/sp:SoapNormalization10/
@sp:TrueNormalization

If not provided, value is 'true', meaning map according to
SOAPNormalization, 'relay' and 'mustUnderstand' from '1' to 'true'
otherwise from 'true' to '1'.
Purpose is to allow SOAP normalization with WS-I Basic Profile
compatibility see R1013,
<http://www.ws-i.org/Profiles/
BasicProfile-1.1.html#SOAP_mustUnderstand_Attribute>

(4) Add [XML Signature] algorithm property and associated assertion

/sp:AlgorithmSuite/wsp:Policy/sp:XMLSignature10
use XML Signature Rec 12 Feb 2002 (anticipate future revisions)
/sp:AlgorithmSuite/wsp:Policy/sp:XMLSignature10/@sp:NoManifest

disallow Manifest usage if 'true', if not stated is 'false'.

(b)
Add to section 1.5 reference to <http://www.w3.org/TR/soap12-n11n/>.
Check for other normative references.

(c) add new section

6.8 [Message Canonicalization] Property and corresponding assertion

Property values:
None - default, no requirement for canonicalization of entire SOAP
message
Canonicalized - XML Canonicalization applied to SOAP entire message
FullCanonicalized - soap message and xml canonicalization applied to
entire SOAP message

Assertion:

/sp:MessageCanonicalization
/sp:MessageCanonicalization/wsp:Policy/sp:Canonicalized
/sp:MessageCanonicalization/wsp:Policy/sp:FullCanonicalized

both Canonicalized and FullCanonicalized nested assertions can take
algorithmSuite SOAPNormalization and InclusiveC14N or ExclusiveC14N
assertions.

They are also element and attribute extensible to allow for different
requirements.

----

regards, Frederick

Frederick Hirsch
Nokia