OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] Issue 206 - Decryption by Intermediaries

> From: Hal Lockhart [mailto:hlockhar@bea.com]
> I volunteered because I thought I understood this one, but 
> now I am really
> scratching my head. My best guess is that the first sentence 
> is missing a
> "not".

No, I think the first paragraph is correct (but unclear) the way it is.

> Current text:
> Parts of a SOAP message may be encrypted in such a way that 
> they can be
> decrypted by an intermediary that is targeted by one of the 
> SOAP headers.
> Consequently, the exact behavior of intermediaries with 
> respect to encrypted
> data is undefined and requires an out-of-band agreement.

The problem is that the SOAP headers are each addressed at different intermediaries (I strongly disagree with the SOAP 1.2 choice of "role" as a name for this...), but, in the absence of other information, there is no implied ordering on the processing of these headers.

Thus, if (for example) one of the headers includes an encryption and another header includes a signature or (for another example) one header encrypts three elements within the body and another header encrypts the entire body (including the previously encrypted nested elements), processing may fail depending on which order the intermediaries process the headers. Since SOAP doesn't give us a way to enforce the ordering, we want to clearly indicate that some out-of-band agreement is necessary.

 - irving -

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]