OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SOAP MustUnderstand issue

It appears that the decision of whether mustUnderstand is true or false on a wsse:Security header block is up to the application - the SOAP Message Security specification indicates that mustUnderstand usage is optional. Is this an interoperability concern?

Does this mean that to obtain the result  of only what is used is implemented, e.g. DSAwithSHA1 vs RSAwithSHA1) means that the application should set this mustUnderstand wsse:Security header block attribute to false?

It seems that the relationship of interoperability and adequate/appropriate security processing is of concern here. If mustUnderstand is false, does that mean security is lost? I'd say no, since it is the relying party's obligation regardless to make sure policy is met - i.e. it shouldn't be driven by mustUnderstand.

Is our discussion to determine what it means if an application sets mustUnderstand to true?
Since an application can set it to false, is it harmful to take the stricter meaning that all is understood (deferring the discussion of whether that means implemented)?  Is that the consensus?

regards, Frederick

Frederick Hirsch
Nokia Mobile Phones

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]