[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] scenarios for first interop
Hi Chris, I've some concerns regarding test case 2. Test case 2 requires sending an SHA1(date+nonce+password), but as it has been worked out in several discussions in this list, plain text passwords are not available on all systems. As the test also includes the signature test, it would exclude quite a few implementations from participation for test 2. Instead of directly starting with tests combining multiple features, why don't we start with tests verifying the basic features of the SOAP Message security specification. Feature tests: Test 1 (U/PW Text): Send a SOAP message with SecurityHeader including a wsse:PasswordText password Test 2 (U/PW Digest): Same as #1, but with digested wsse:PasswordDigest PW Test 3 (Timestamp): Add a timestamp to the SOAP header, check if it is correctly understood. Test 4 (Timestamp+Delay): Add a timestamp and information from an intermediate. Only based on the timestamp, the message should be delayed; but with the statement of the intermediary about the delay, the message should still be accepted. Test 5 (Signature 1): Sign the header of the message and a timestamp, return a signed header Test 6 (Signature 2): Sign the body of the message and a timestamp, return a signed header Test 7 (Signature 3): Sign parts of the attachments in a Multi-part MIME SOAP message Test 8 (Signature 4): like 7, but sign all attachments Test 9 (Encryption 1): Encrypt the body of the message, return an encrypted body Test 10 (Encryption 1): Encrypt parts of the attachments in a Multi-part MIME SOAP message Test 11 (Encryption 2): like 11, but all attachments When these test are successful, we should have some composite tests: Test 100: Authentication with U/PW, result signed, timestamp signed Test 101: Authentication using signed header, result encrypted, timestamp included For later, one could also think about more complex examples, i.e. with multiple SecurityHeaders, parts of the message encrypted to be read by multiple receivers. Best Regards, Martijn de Boer SAP -----Original Message----- From: Chris Kaler [mailto:ckaler@microsoft.com] Sent: Mittwoch, 5. März 2003 11:21 To: Ahmed, Zahid; Web Services Security Cc: Burdett, David Subject: RE: [wss] scenarios for first interop We should make sure we capture these, but my guess is that 1-4 will more than cover a first interop event and we will likely need to move to a 2nd in order to cover these advanced scenarios as well as flushing out additional token types (#11 as well as others). That said, we should get these written up in more detail, along with 1-4, and see what people think they can commit to having for a first event. Chris -----Original Message----- From: Ahmed, Zahid [mailto:zahid.ahmed@commerceone.com] Sent: Wednesday, March 05, 2003 2:04 AM To: Chris Kaler; Web Services Security Cc: Burdett, David Here are some additional SOAP Message security interop test-cases that we should consider for the first or second interop event. I am numbering them after the first four that Chris Kaler has proposed just in case we decide to compile these in some interop testing document: 5. Signing and encrypting specific attachments in a Multi-part MIME SOAP message. 6. Signing and encrypting all attachments in a Multi-part MIME SOAP message. 7. Decrypting and verifying signatures of specific attachments in a Multi-part MIME SOAP message. 8. Decrypting and verifying signatures of all the attachments in a Multi-part MIME SOAP message. 9. Signing and encrypting SOAP Body and specific attachment in Multi-part MIME SOAP message. 10. Decrypting and signature verification of content in SOAP Body and required attachment in a Multi-part MIME SOAP message. 11. SOAP Message Token Processing for X.509 Certificates and SAML Tokens, e.g., for authenticating a sending web service application by a receiving web services applications. Also, #4 is quite important to flesh out in advance for #1 thru #3 and #5 thru #11. thanks, Zahid Ahmed Commerce One, Inc. -----Original Message----- From: Chris Kaler [mailto:ckaler@microsoft.com] Sent: Monday, March 03, 2003 8:32 AM To: Web Services Security Subject: [wss] scenarios for first interop I had the action to propose some initial scenarios for a first interop event. If people like these, I'll add more details like WSDL, example messages, etc. 1. Send message with U/P over SSL and get response 2. Send message with U/P-Hash and get response signed with X.509 3. Send message with X.509 signature and encrypted with key passed in EncryptedKey using recipients certificate referenced by identifier 4. Variations on algorithms (C14N, encryption, etc.) Signatures are over key headers and body. Encryption is only on body. Basically people would implement both clients and servers and then we would interchange the components. Chris ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl> ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]