[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] Issue 13, Lines 856-858 in Core, discussed at the call today
I am reluctant to stoke the coals on this, but based on the
emails it appears the ordering rules in lines 435-445 are being
considered the primary guideline and that lines 856-858 introduce
some ambiguity that is desired to be removed.
I have an additional concern that there is a greater ambiguity introduced
in lines 922-925 that state:
"To add a signature to a <wsse:Security> header block,
a <ds:Signature> element conforming to the XML Signature
specification MUST be prepended to the existing content
of the <wsse:Security> header block, in order to indicate
to the receiver the correct order of operations."
I am having trouble resolving this statement with the lines 442-445
which state:
"When a sub-element refers to a key carried in another
sub-element (for example, a signature sub-element that
refers to a binary security token sub-element that
contains the X.509 certificate used for the signature),
the key-bearing element SHOULD be ordered to precede the
key-using Element:"
It appears to me that the "MUST" in 922-925 would override the
"SHOULD" in lines 442-445. In particular, lines 922-925 say
the prepending is to existing content and does not exclude
key-bearing elements.
In order to resolve this I think it is necessary to decide if
key-bearing elements "MUST" appear before key-referencing elements
related to the same key, and that a little more explanatory text
be included to make it clear when a Signature is prepended to the
content vs being inserted before the appropriate key-bearing
element.
That all being said, maybe I am still missing something, but it
appears to me that the text segments referenced above are in conflict.
Rich Levinson
-----Original Message-----
From: Chris Kaler [mailto:ckaler@microsoft.com]
Sent: Wednesday, January 14, 2004 9:10 AM
To: wss@lists.oasis-open.org
Subject: RE: [wss] Issue 13, Lines 856-858 in Core, discussed at the call
today
Do we all agree then on removing it? Speak now...
-----Original Message-----
From: DeMartini, Thomas [mailto:Thomas.DeMartini@CONTENTGUARD.COM]
Sent: Tuesday, January 13, 2004 3:42 PM
To: wss@lists.oasis-open.org
Subject: RE: [wss] Issue 13, Lines 856-858 in Core, discussed at the call
today
This sounds great. I think if we go with this, the intention should be
clear.
Since the normative rules are laid out in section 5, this section can be
informative and we can replace both of the "SHOULDs" with lowercase "would".
This should address the concerns of those who would not like to see the
normative material repeated as well as the concerns of those who would like
to have seen more clarifying text.
&Thomas.
So, with the replacements, it would look like this:
Finally, if a producer wishes to sign a message before encryption,
then following the ordering rules laid out in section 5, "Security
Header", they would first prepend the signature element to the
<wsse:Security> header, and then prepend the encryption element,
resulting in a <wss:Security> header that has the encryption element
first, followed by the signature element:
+------------------------+
| <wsse:Security> header |
+------------------------+
| [encryption element] |
| [signature element] |
| : |
| : |
+------------------------+
Likewise, if a producer wishes to sign a message after encryption,
they would first prepend the encryption element to the <wsse:Security>
header, and then prepend the signature element. This will result in a
<wsse:Security> header that has the signature element first, followed
by the encryption element:
+------------------------+
| <wsse:Security> header |
+------------------------+
| [signature element] |
| [encryption element] |
| : |
| : |
+------------------------+
-----Original Message-----
From: Gene Thurston [mailto:gthurston@amberpoint.com]
Sent: Tuesday, January 13, 2004 3:24 PM
To: wss@lists.oasis-open.org
Subject: RE: [wss] Issue 13, Lines 856-858 in Core, discussed at the call
today
I guess I agree with Ron. When I read the text on lines on lines 856-858,
it sounds like I have to do something "different". But, unless I do not
understand the gist of the conversation, I basically just need to follow the
standard rules as laid out in the paragraph starting on line 435.
While Thomas' proposed replacement text is better than what is there now,
let me suggest another, more verbose, alternative:
Finally, if a producer wishes to sign a message before encryption,
then following the ordering rules laid out in section 5, "Security
Header", they SHOULD first prepend the signature element to the
<wsse:Security> header, and then prepend the encryption element,
resulting in a <wss:Security> header that has the encryption element
first, followed by the signature element:
+------------------------+
| <wsse:Security> header |
+------------------------+
| [encryption element] |
| [signature element] |
| : |
| : |
+------------------------+
Likewise, if a producer wishes to sign a message after encryption,
they SHOULD first prepend the encryption element to the <wsse:Security>
header, and then prepend the signature element. This will result in a
<wsse:Security> header that has the signature element first, followed
by the encryption element:
+------------------------+
| <wsse:Security> header |
+------------------------+
| [signature element] |
| [encryption element] |
| : |
| : |
+------------------------+
-----Original Message-----
From: Ron Monzillo [mailto:Ronald.Monzillo@Sun.COM]
Sent: Tuesday, January 13, 2004 11:41 AM
To: DeMartini, Thomas
Cc: wss@lists.oasis-open.org
Subject: Re: [wss] Issue 13, Lines 856-858 in Core, discussed at the call
today
Thomas,
I would prefer that the two existing sentences simply be removed. I find
them
incongruous WRT the description of algorithms which preceeds them and,
as was
pointed out in the call, they can be read to mean that a producer
somehow should
change the order of existing signature and encryption elements in a header.
I think the text beginning at line 435 and also that of section 9.4
define how signature
and encryption elements must be ordered.
That said, I think your text is an improvement over what's in the doc.
Ron
DeMartini, Thomas wrote:
> I can understand the meaning of 856-858 when read in context, so I
> don't think a change is absolutely necessary. However, I would like to
> offer the following text, which I think more clearly states the
> intention of these lines:
>
>
> "Finally, if a producer wishes to sign a message before encryption,
> they SHOULD place the signature element after the encryption element
> inside of the <wsse:Security> header. If a producer wishes to sign a
> message after encryption, they SHOULD place the signature element
> before the encryption element inside of the <wsse:Security> header."
>
> instead of
>
> "Finally, if a producer wishes to sign a message before encryption,
> they SHOULD alter the order of the signature and encryption elements
> inside of the <wsse:Security> header. This order of elements
> represents order of operations."
>
> If there is disagreement with the proposed clarification, I am fine
> with the existing text.
>
> &Thomas.
>
To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup
.php.
To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup
.php.
To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup
.php.
To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php
.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]