OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Issue 84 followup question on wss header blocks, intermediaries, and interleaving

Hi Hal,

I have some questions about the model you and/or WSS adopt to establish
things such as 
"XML Decryption transform not needed" 

The implicit model does not seem general enough to formulate cases that
eventually need consideration for SOAP security situations.

In the attachment, a model with more general assumptions is presented
and an example of "interleaving" case is mentioned. These seem to me to
be worth treating in SOAP security with intermediaries. I have not seen
how these cases are to be dealt with. I think I agree with you that the
XML decryption transform would not help in its present form, though.

There probably are ways to disallow these cases, such as permitting only
one wsse header block, but they are fairly drastic reductions in
usability. Scanning over header blocks for wsse blocks and knowing
sequence of addition might also work even when multiple blocks are
allowed. However, to make use of this technique, wss would need to say
something about the order of wsse header block processing. The SOAP
processing model used to insist that no specific header block processing
order can be assumed, but I have not rechecked the approved SOAP version
on that detail. 

Dale Moberg

Questions concerning the model used for reasoning about complex SOAP paths and security operations for interleaving cases.doc

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]