[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Comments on WSS-X509 draft 06-05 merged.pdf
Hello,
Here are comments on WSS-X509 draft 06.
0. (editorial)
Do we use "WS-Security" as the abbreviation of "Web Services Security:
SOAP Message Security"?
1. (editorial)
Lines 215-216 in 3.2.4:
| whose value SHALL be identical to the value of the wsu:Id
| attribute in the wsse:BinarySecurityToken element.
This should be read :
... the value of the Id attribute in the ds:KeyInfo element
Because ds:KeyInfo element has its own Id attribute and doesn't allow
anyAttribute.
2.
The example in 3.1.1 uses two <wsse:Security> headers without S:role
attribute. This is not allowed in current core spec (draft 14).
And the description (in lines 285-288) also mention about two
(first/second) <wsse:Security> elements with the word "SHALL".
There are other problems in this example.
- wsu:Id attribute is added to <wsse:Security> element and not to
security token.
- <ds:KeyInfo> element in the second <wsse:Security> element will be
in the <xenc:EncryptedKey> element.
The structure of current example is as follows::
--------------------------------------------------------------------------
<S:Header> +--> Reference to key-agreement key
<wsse:Security wsu:Id="u"> |
<ds:KeyInfo> ------------+
<ds:X509Data>...</ds:X509Data> <--+
</ds:KeyInfo> |
</wsse:Security> |
| Reference to reference token (wsu:Id="u")
<wsse:Security wsu:Id="v"> |
<ds:KeyInfo>--------------------------+
<ds:KeyName>u</ds:KeyName>
</ds:KeyInfo>
<xenc:EncryptedKey>
...Symmetric-Key... <-----+
</xenc:EncryptedKey> |
</wsse:Security> |
</S:Header> | Reference to symmetric-key token (wsu:Id="v")
|
<S:Body> |
... |
<xenc:EncryptedData> |
<ds:KeyInfo>---------------------+
<ds:KeyName>v</ds:KeyName>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</S:Body>
--------------------------------------------------------------------------
I think that the intention here will be as follows. Is this correct?
--------------------------------------------------------------------------
<S:Header> +--> Reference to key-agreement key
<wsse:Security> |
<ds:KeyInfo Id="u"> ------------+
<ds:X509Data>...</ds:X509Data> <--+
</ds:KeyInfo> |
|
<xenc:EncryptedKey> | Reference to reference token (Id="u")
<ds:KeyInfo> |
<ds:KeyName>u</ds:KeyName> ------+
</ds:KeyInfo>
<xenc:CipherData>
...Symmetric-Key...
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#XXX" /> --+
</xenc:ReferenceList> |
</xenc:EncryptedKey> |
</wsse:Security> |
</S:Header> | Reference to encrypted data (Id="XXX")
|
<S:Body> |
... |
<xenc:EncryptedData Id="XXX"> <-------+
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</S:Body>
--------------------------------------------------------------------------
---
NISHIMURA Toshihiro (FAMILY Given)
nishimura.toshi@jp.fujitsu.com
XML Application Technology Dept., PROJECT-A XML, FUJITSU LIMITED
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]