I’m okay with the proposal below to clarify the WS-SP spec
wording around the [Signature Protection] property.
From: Duane Nickull
[mailto:dnickull@adobe.com]
Sent: Thursday, June 07, 2007 9:22 AM
To: Aditya Athalye; Jan Alexander
Cc: ws-sx@lists.oasis-open.org
Subject: Re: [ws-sx] Re: Issue PR014: Signature protection semantics
clarification
+1
Specific is good.
Duane Nickull
On 6/7/07 8:22 AM, "Aditya Athalye" <aditya.athalye@oracle.com>
wrote:
Hi Jan,
That was a good point to include this in [Signature Protection] property "The primary signature
element is not required to be encrypted if the value is ‘true’ when there is
nothing else in the message that is encrypted".
However, I have a question here: Instead of saying "nothing else in the
message", shouldn't we be more specific and say:
"The primary signature element is not required to be encrypted if the
value is ‘true’ when there is nothing in the
message that is covered by this signature encrypted".
Let us take the following case:
<soap:Envelope>
<soap:Body>
<abc Id="abc">...</abc>
<xyz Id="xyz">...</xyz>
</soap:Body>
</soap:Envelope>
If you encrypt <abc>, and sign <xyz>, you create a signature
<ds:Signature>
<ds:Reference URI="#xyz"/>
</ds:Signature>
Now going by the original statement in the spec, it would be ok to encrypt this
signature whereas the element it covers is still left in the clear. In this
case also IMO, there is no significant gain in the security.
If however, abc is signed using this primary signature, then encrypted, and
then if this signature was confidentiality protected, it would be more
meaningful.
So IMO, the primary signature element should be protected (when the property is
true of course) when it covers at least something which is encrypted, and not
anything in the message which is encrypted which I infer from the original
clause.
Please share your thoughts.
Thanks
Aditya
--
************************************************************
Sr. Technical Evangelist - Adobe Systems, Inc.
*
Chair - OASIS SOA Reference Model Technical Committee
*
Blog: http://technoracle.blogspot.com
*
My Music: http://www.mix2r.com/audio/by/artist/22ndcentury
*
My Band: http://www.myspace.com/22ndcentury
*
************************************************************