[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: New Issue: Need provision in the spec/schema for attachment contentsignature
PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER.
The issues coordinators will notify the list when that has occurred.
Protocol: ws-sc / ws-sp
Artifact: spec / schema /
Need provision in the spec/schema for attachment content signature
Description:The WS-Sec Policy 1.2 has provision for integrity protection of soap attachments using /signedParts/Attachments.
This is what the spec says:
"When SOAP Message Security is used to accomplish this, all message parts other than the part containing the primary SOAP envelope are to be integrity protected.."
Simply looking at this element does not clearly indicate to a service consumer whether attachment content only or the complete attachment needs to be signed.
This can especially be a problem for service providers who reject messages NOT conforming to policy, for example signing only attachment content when complete is required is a policy non-conformance.
If I understand correctly, the presence of the above Attachments element inside SignedParts would mean sign all the attachments in the message (Content + MIME Headers). This translates to using the "Attachment-Complete" Signature Transform in SwA 1.1. However, in that case there doesn't seem to be any provision to indicate that only Attachment content of all attachments to be signed, and not the MIME headers. (Attachment-ContentOnly Transform). Is there a plan to add an attribute to the sp:Attachments element? We could add an optional attribute to this as: <sp:Attachments signContentOnly="true|false"> If it is absent it could mean sign the attachment contents as well as Headers, else sign content only.