From: Aditya Athalye
Sent: Tuesday, June 05, 2007 3:39 AM
Cc: Marc Goodner
Subject: [ws-sx] New Issue: Need provision in the spec/schema for
attachment content signature
PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER.
The issues coordinators will notify the list when that has occurred.
Protocol: ws-sc / ws-sp
Artifact: spec / schema /
Need provision in the spec/schema for attachment content signature
The WS-Sec Policy 1.2 has provision for integrity
protection of soap attachments using /signedParts/Attachments.
This is what the spec says:
"When SOAP Message Security is used to accomplish this, all message
parts other than the part containing the primary SOAP envelope are to be
Simply looking at this element does not clearly indicate to a service consumer whether
attachment content only or the complete attachment needs to be signed.
This can especially be a problem for service providers who reject messages NOT
conforming to policy, for example signing only attachment content when complete
is required is a policy non-conformance.
If I understand correctly, the presence of the above Attachments element inside SignedParts would mean sign all the attachments
in the message (Content + MIME Headers). This translates to using the "Attachment-Complete" Signature Transform in SwA 1.1.
However, in that case there doesn't seem to be any provision to indicate that only Attachment content of all attachments
to be signed, and not the MIME headers. (Attachment-ContentOnly Transform).
Is there a plan to add an attribute to the sp:Attachments element?
We could add an optional attribute to this as:
If it is absent it could mean sign the attachment contents as well as Headers, else sign content only.