PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER.
The issues coordinators will notify the list when that has occurred.
Protocol: ws-sp
http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/23821/ws-securitypolicy-1.2-spec-cs.pdf
Artifact: spec
Type:
editorial
Title:
Restriction on Encryption of Headers
Description:
Not sure if this has been already posted, and answered.
Lines <526-529>
"Such encryption will encrypt such elements using WSS 1.1 Encrypted Headers.
As such, if WSS 1.1 Encrypted Headers are not supported by a service,
then this element cannot be used to specify headers that require encryption using message level security."
Does this mean, that if as a service provider, I cannot understand what a <EncryptedHeader> means,
then clients requesting this service cannot encrypt any of the request soap headers using message level security?
Related Issues:
None.
Proposed Resolution:
I agree that <EncryptedHeader> could help protect sensitive attributes on the soap header, but I doubt if
<EncryptedHeader> has gained sufficient popularity amongst implementors. I believe till the time, it is universally adopted,
and implemented by all, the above restriction of not being able to use message level security for header confidentiality
should not be in place.
This IMO can hurt interoperability between vendors who support this, and those who don't.Furthermore, till such time,
<EncryptedData> can be used by service providers and requestors.
Thanks
Aditya