PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER.
The issues coordinators will notify the list when that has occurred.
Protocol: ws-sc / ws-sp
http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/23821/ws-securitypolicy-1.2-spec-cs.pdf
Artifact: spec / schema /
Type:
design
Title:
Need provision in the spec/schema for attachment content signature
Description:
The WS-Sec
Policy 1.2 has provision for integrity protection of soap attachments
using /signedParts/Attachments.
This is what the spec says:
Lines <461-462>
"When SOAP Message Security is used to accomplish this, all message
parts other than the part containing the primary SOAP envelope are to
be integrity protected.."
Simply looking at this element does not clearly indicate to a service
consumer whether attachment content only or the complete attachment
needs to be signed.
This can especially be a problem for service providers who reject
messages NOT conforming to policy, for example signing only attachment
content when complete is required is a policy non-conformance.
Related Issues:
None.
Proposed Resolution:
If I understand correctly, the presence of the above Attachments element inside SignedParts would mean sign all the attachments
in the message (Content + MIME Headers). This translates to using the "Attachment-Complete" Signature Transform in SwA 1.1.
However, in that case there doesn't seem to be any provision to indicate that only Attachment content of all attachments
to be signed, and not the MIME headers. (Attachment-ContentOnly Transform).
Is there a plan to add an attribute to the sp:Attachments element?
We could add an optional attribute to this as:
<sp:Attachments signContentOnly="true|false">
If it is absent it could mean sign the attachment contents as well as Headers, else sign content only.
Thanks
Aditya Athalye