[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: FW: [ws-sx] Issue PR020: Provide mechanism to specify signing or encryption of SwA (SOAP Messages with Attachments)
Subject: Re: [ws-sx] Issue PR020: Provide mechanism to specify signing or encryption of SwA (SOAP Messages with Attachments) Thanks Dale. I have two questions 1. would it be simpler to have sp:SignedParts/sp:Attachment/ sp:Exclude with element content being media type? 2 is it worth the complexity to specify exclusions? Responses: I followed the recipe of using the qname format for domain policy assertions to avoid complicating the intersection/match approach for these new assertions. Of course, the media type value could be put in an attribute or made element content also. The exclusion functionality would reduce security processing burdens when the proverbial cad/cam attachment data accompanies the automotive parts order. More exotic scenarios about active intermediary processing and avoidance of signature breaking can also provide motivation for policies of this sort. But I would agree that the addition is an enhancement over the basic proposal, and could be viewed as an implementation burden by some. Dale regards, Frederick Frederick Hirsch Nokia On Feb 20, 2007, at 11:21 AM, ext Dale Moberg wrote: > Hi > > I agree with Frederick that a requirement to sign and/or encrypt all > attachments would be the simplest, and also agree that cid information > is not generally available at policy attachment time. > > One additional (potential) requirement given the above approach, would > be to exempt kinds of attachments from security requirements. For > example, for the media type "image/jpeg" a policy alternative could > indicate that attachments of that type can be omitted from a WSS > signature, as in: > > sp:SignedParts/sp:Attachment/sp:ExcludeImageJpeg > > Of course, a lot of assertions of this sort would be needed to > cover the > iana registered media types-- > > http://www.iana.org/assignments/media-types/ > > > > > > > -----Original Message----- > From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com] > Sent: Monday, February 19, 2007 7:46 AM > To: ext Jan Alexander > Cc: Frederick Hirsch; ws-sx@lists.oasis-open.org; Greg Carpenter > Subject: Re: [ws-sx] Issue PR020: Provide mechanism to specify signing > or encryption of SwA (SOAP Messages with Attachments) > > Jan > > Thank you for reviewing my proposal. > > The simplest case is to simply require all attachments to be signed/ > encrypted, presumably sign first if both. > > I'm not sure how policy author would be able to state for individual > attachments since cid's are probably not available at the time policy > is written. Thus I'm not sure how to state meaningful policy at a > granularity of individual attachment at policy writing time. > > regards, Frederick > > Frederick Hirsch > Nokia > > > On Feb 18, 2007, at 1:37 PM, ext Jan Alexander wrote: > >> Hi Frederick, >> >> I took an action item on the last TC call to look more into your >> proposal below. >> >> In general, I agree with the proposed solution since message >> attachments are generally considered as parts of the message. >> However I wonder what is your proposal for identifying individual >> attachments? Since WS-SP does not depend on WSDL and is WSDL >> agnostic it is not clear to me how the attachment parts are >> distinguished if there is more than one attached to the message so >> that the individual attachments can be mapped to the respective >> protection assertion "attachment" elements in the receiver's >> security policy. Or is your proposal to uniformly protect all the >> message attachments by using a single "attachment" element? >> >> Thanks, >> --Jan >> >> >> -----Original Message----- >> From: Greg Carpenter [mailto:gregcarp@microsoft.com] >> Sent: Monday, February 12, 2007 7:16 AM >> To: ws-sx@lists.oasis-open.org >> Cc: Frederick Hirsch >> Subject: [ws-sx] Issue PR020: Provide mechanism to specify signing >> or encryption of SwA (SOAP Messages with Attachments) >> >> Issue PR020 >> >> -----Original Message----- >> From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com] >> Sent: Sunday, February 11, 2007 8:09 AM >> To: WS-SX OASIS >> Cc: Hirsch Frederick; Carpenter Greg >> Subject: [ws-sx] NEW Issue: Provide mechanism to specify signing or >> encryption of SwA (SOAP Messages with Attachments) >> >> PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL >> THE ISSUE IS ASSIGNED A NUMBER. >> >> The issues coordinators will notify the list when that has occurred. >> >> Protocol: ws-securitypolicy >> http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/ >> 21401/ >> ws-securitypolicy-1.2-spec-cd-01.pdf >> >> Artifact: spec >> >> Type: design >> Title: No means to express need to secure SOAP Messages with >> Attachments (SwA) >> >> Description: >> >> The current specification provides no mechanism to express the >> requirement to secure SOAP Messages with Attachments (SwA). >> >> Related issues: >> None. >> Proposed Resolution: >> >> Add to sp:SignedParts and sp:EncryptedParts sp:SignedParts/Attachment >> and sp:EncryptedParts/Attachment respectively. >> >> regards, Frederick >> >> Frederick Hirsch >> Nokia >> >> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]