[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Comments on WSS-X509 draft 06-05 merged.pdf
Hello, Here are comments on WSS-X509 draft 06. 0. (editorial) Do we use "WS-Security" as the abbreviation of "Web Services Security: SOAP Message Security"? 1. (editorial) Lines 215-216 in 3.2.4: | whose value SHALL be identical to the value of the wsu:Id | attribute in the wsse:BinarySecurityToken element. This should be read : ... the value of the Id attribute in the ds:KeyInfo element Because ds:KeyInfo element has its own Id attribute and doesn't allow anyAttribute. 2. The example in 3.1.1 uses two <wsse:Security> headers without S:role attribute. This is not allowed in current core spec (draft 14). And the description (in lines 285-288) also mention about two (first/second) <wsse:Security> elements with the word "SHALL". There are other problems in this example. - wsu:Id attribute is added to <wsse:Security> element and not to security token. - <ds:KeyInfo> element in the second <wsse:Security> element will be in the <xenc:EncryptedKey> element. The structure of current example is as follows:: -------------------------------------------------------------------------- <S:Header> +--> Reference to key-agreement key <wsse:Security wsu:Id="u"> | <ds:KeyInfo> ------------+ <ds:X509Data>...</ds:X509Data> <--+ </ds:KeyInfo> | </wsse:Security> | | Reference to reference token (wsu:Id="u") <wsse:Security wsu:Id="v"> | <ds:KeyInfo>--------------------------+ <ds:KeyName>u</ds:KeyName> </ds:KeyInfo> <xenc:EncryptedKey> ...Symmetric-Key... <-----+ </xenc:EncryptedKey> | </wsse:Security> | </S:Header> | Reference to symmetric-key token (wsu:Id="v") | <S:Body> | ... | <xenc:EncryptedData> | <ds:KeyInfo>---------------------+ <ds:KeyName>v</ds:KeyName> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S:Body> -------------------------------------------------------------------------- I think that the intention here will be as follows. Is this correct? -------------------------------------------------------------------------- <S:Header> +--> Reference to key-agreement key <wsse:Security> | <ds:KeyInfo Id="u"> ------------+ <ds:X509Data>...</ds:X509Data> <--+ </ds:KeyInfo> | | <xenc:EncryptedKey> | Reference to reference token (Id="u") <ds:KeyInfo> | <ds:KeyName>u</ds:KeyName> ------+ </ds:KeyInfo> <xenc:CipherData> ...Symmetric-Key... </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#XXX" /> --+ </xenc:ReferenceList> | </xenc:EncryptedKey> | </wsse:Security> | </S:Header> | Reference to encrypted data (Id="XXX") | <S:Body> | ... | <xenc:EncryptedData Id="XXX"> <-------+ <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </S:Body> -------------------------------------------------------------------------- --- NISHIMURA Toshihiro (FAMILY Given) nishimura.toshi@jp.fujitsu.com XML Application Technology Dept., PROJECT-A XML, FUJITSU LIMITED
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]