[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ws-sx] Issue PR020: Provide mechanism to specify signing or encryption of SwA (SOAP Messages with Attachments)
> When this proposal was discussed did we decide how to choose > between these two transforms from WS-SecurityPolicy? No > If not I think we need to provide some additional information (an > attribute on sp:Attachments maybe) to make this implementation > complete. An attribute sounds reasonable. Thoughts on this, especially from those with implementations? Marc/Greg - perhaps we need a new issue for point Ashutosh has raised. regards, Frederick Frederick Hirsch Nokia On Jan 30, 2008, at 12:38 AM, ext Ashutosh Shahi wrote: > Hello Frederick and Jan, > > WSS 1.1: SwA Profile allows two transforms for signature: > Attachment-Content-Signature-Transform and Attachment-Complete- > Signature-Transform - depending on whether we need to integrity > protect just the attachment or also the mime headers associated > with it. > > When this proposal was discussed did we decide how to choose > between these two transforms from WS-SecurityPolicy? If not I think > we need to provide some additional information (an attribute on > sp:Attachments maybe) to make this implementation complete. > > Thanks, > Ashutosh > > Frederick Hirsch wrote: >> Attached is red-lined proposal for issue PR020 in Word and PDF. >> >> The proposal contains three changes: >> >> 1) Add references to WSS 1.1 SwA Profile and SwA in normative >> references section (lines 157 and 235 in PDF) >> >> 2) Add definition of SignedParts/Attachment element to end of >> 4.1.1 (line 449 pdf) and add <sp:Attachments />? to syntax box >> (line 421 pdf). >> >> 3) Add definition of EncryptedParts/Attachment element to end of >> 4.2.1 (line 530 pdf) and add <sp:Attachments />? to syntax box >> (line 500 pdf). >> >> Note that order of signing and encryption is dealt with in 6.3 >> with the Protection Order property and this property should also >> apply to attachments. >> >> regards, Frederick >> >> Frederick Hirsch >> Nokia >> >> >> On Feb 19, 2007, at 12:51 PM, ext Jan Alexander wrote: >> >>> Frederick, >>> >>> Yes, that was exactly my issue. Uniformly protecting all >>> attachments sounds like a reasonable approach to me. >>> >>> I think it would help if you provide more detailed wording for >>> your proposal so that editors can just use it in the document >>> when the issue gets accepted by the TC. >>> >>> Thanks, >>> --Jan >>> >>> -----Original Message----- >>> From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com] >>> Sent: Monday, February 19, 2007 6:46 AM >>> To: Jan Alexander >>> Cc: Frederick Hirsch; ws-sx@lists.oasis-open.org; Greg Carpenter >>> Subject: Re: [ws-sx] Issue PR020: Provide mechanism to specify >>> signing or encryption of SwA (SOAP Messages with Attachments) >>> >>> Jan >>> >>> Thank you for reviewing my proposal. >>> >>> The simplest case is to simply require all attachments to be signed/ >>> encrypted, presumably sign first if both. >>> >>> I'm not sure how policy author would be able to state for individual >>> attachments since cid's are probably not available at the time >>> policy >>> is written. Thus I'm not sure how to state meaningful policy at a >>> granularity of individual attachment at policy writing time. >>> >>> regards, Frederick >>> >>> Frederick Hirsch >>> Nokia >>> >>> >>> On Feb 18, 2007, at 1:37 PM, ext Jan Alexander wrote: >>> >>>> Hi Frederick, >>>> >>>> I took an action item on the last TC call to look more into your >>>> proposal below. >>>> >>>> In general, I agree with the proposed solution since message >>>> attachments are generally considered as parts of the message. >>>> However I wonder what is your proposal for identifying individual >>>> attachments? Since WS-SP does not depend on WSDL and is WSDL >>>> agnostic it is not clear to me how the attachment parts are >>>> distinguished if there is more than one attached to the message so >>>> that the individual attachments can be mapped to the respective >>>> protection assertion "attachment" elements in the receiver's >>>> security policy. Or is your proposal to uniformly protect all the >>>> message attachments by using a single "attachment" element? >>>> >>>> Thanks, >>>> --Jan >>>> >>>> >>>> -----Original Message----- >>>> From: Greg Carpenter [mailto:gregcarp@microsoft.com] >>>> Sent: Monday, February 12, 2007 7:16 AM >>>> To: ws-sx@lists.oasis-open.org >>>> Cc: Frederick Hirsch >>>> Subject: [ws-sx] Issue PR020: Provide mechanism to specify signing >>>> or encryption of SwA (SOAP Messages with Attachments) >>>> >>>> Issue PR020 >>>> >>>> -----Original Message----- >>>> From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com] >>>> Sent: Sunday, February 11, 2007 8:09 AM >>>> To: WS-SX OASIS >>>> Cc: Hirsch Frederick; Carpenter Greg >>>> Subject: [ws-sx] NEW Issue: Provide mechanism to specify signing or >>>> encryption of SwA (SOAP Messages with Attachments) >>>> >>>> PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD >>>> UNTIL >>>> THE ISSUE IS ASSIGNED A NUMBER. >>>> >>>> The issues coordinators will notify the list when that has >>>> occurred. >>>> >>>> Protocol: ws-securitypolicy >>>> http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/ >>>> 21401/ >>>> ws-securitypolicy-1.2-spec-cd-01.pdf >>>> >>>> Artifact: spec >>>> >>>> Type: design >>>> Title: No means to express need to secure SOAP Messages with >>>> Attachments (SwA) >>>> >>>> Description: >>>> >>>> The current specification provides no mechanism to express the >>>> requirement to secure SOAP Messages with Attachments (SwA). >>>> >>>> Related issues: >>>> None. >>>> Proposed Resolution: >>>> >>>> Add to sp:SignedParts and sp:EncryptedParts sp:SignedParts/ >>>> Attachment >>>> and sp:EncryptedParts/Attachment respectively. >>>> >>>> regards, Frederick >>>> >>>> Frederick Hirsch >>>> Nokia >>>> >>>> >>> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]