OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] [WSS] Questions on STR Transform

>   Hi Team,
>   We are still a bit unclear on how to implement STR Transform. Here are
>   a few comments from my colleague Werner Dittman.
>   - does the result of the STR Transform replace the
>     whole SecurityTokenReference element including its
>     descendants or does it replace only the relevant
>     reference elements inside the STR, e.g. Reference
>     or X509IssuerSerial and their descendants, and leave
>     the STR element untouched?
>     IMO thats not very clear from the specs. Examples would
>     be helpful :-)  (similar to those in the c14n
>     specs).

The SecurityTokenReference element and its children
should be replaced.

>   - if STR Transform is applied to e.g. an X509IssuerSerial
>     reference we have to distinguish two main cases:
>     a) the X509 certificate is included in the message as
>        BinarySecurityToken
>     b) the X509 certificate is in some certificate store.
>     While performing the STR Transform, then for
>     Case a): replace the relevant SecurityToken
>     element with the BST directly without modification.
>     (This is clearly specified. However, there were some
>      discussion if the the token shall be decoded into
>      binary data or left as Base64 encoded data.)
>     Case b): wrap the "binary data" in a BST. AFAIK X509
>     certificates an be represented in several ways as
>     "binary data": ASN.1 encoded, PKCS format, maybe others.
>     IMO, its not enough to just state "binary data", in most
>     cases some more specification is necessary.

As far as I understand it, in either case a _new_ BST will
be used. X.509 certificates are always considered raw binary
security tokens and encoded as per the X.509 profile.

The XML replacement mode is only used for:
  . Same-document URI reference
  . Embedded (in which case child elements replace the STR
    element; whitespace and comments are ignored)
  . KeyIdentifier or other for an XML token type


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]