Issue 164: provide means to specify which signing transform to usefor attachments

[Marc Goodner <mgoodner@microsoft.com>]

Issue 164

-----Original Message-----
From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com]
Sent: Wednesday, February 06, 2008 7:28 AM
To: OASIS WS-SX
Cc: Frederick Hirsch; Marc Goodner; Greg Carpenter
Subject: NEW ISSUE: provide means to specify which signing transform to use for attachments

PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL
THE ISSUE IS ASSIGNED A NUMBER.
The issues coordinators will notify the list when that has occurred.

Protocol: ws-sp

http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-
securitypolicy-1.2-spec-os.pdf

Artifact: spec

Type: design

Title: provide means to specify which signing transform to use for
attachments

Description:

Related to issue PR020
http://docs.oasis-open.org/ws-sx/issues/Issues.xml#PR020

WSS 1.1: SwA Profile allows two transforms for signature:  Attachment-
Content-Signature-Transform and Attachment-Complete- Signature-
Transform - depending on whether we need to integrity  protect just
the attachment or also the mime headers associated  with it.

Need to specify required transform.

See http://www.oasis-open.org/apps/org/workgroup/ws-sx/email/archives/
200801/msg00016.html

Proposed Resolution:

In section 4.1.1,  SignedParts Assertion

add at end:

/sp:SignedParts/sp:Attachments/sp:Content-Signature-Transform
The Attachment-Content-Signature-Transform must be used as part of
attachment protection.

/sp:SignedParts/sp:Attachments/sp:Attachment-Complete-Signature-
Transform
The Attachment-Complete-Signature-Transform must be used as part of
attachment protection. This is the default if neither
/sp:SignedParts/sp:Attachments/sp:Content-Signature-Transform or /
sp:SignedParts/sp:Attachments/sp:Attachment-Complete-Signature-
Transform are specified.


regards, Frederick

Frederick Hirsch
Nokia