[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] Issue 13, Lines 856-858 in Core, discussed at the call today
I share this concern. At 07:18 AM 1/14/2004, Levinson, Richard wrote: >I am reluctant to stoke the coals on this, but based on the >emails it appears the ordering rules in lines 435-445 are being >considered the primary guideline and that lines 856-858 introduce >some ambiguity that is desired to be removed. > >I have an additional concern that there is a greater ambiguity introduced >in lines 922-925 that state: > > "To add a signature to a <wsse:Security> header block, > a <ds:Signature> element conforming to the XML Signature > specification MUST be prepended to the existing content > of the <wsse:Security> header block, in order to indicate > to the receiver the correct order of operations." > >I am having trouble resolving this statement with the lines 442-445 >which state: > > "When a sub-element refers to a key carried in another > sub-element (for example, a signature sub-element that > refers to a binary security token sub-element that > contains the X.509 certificate used for the signature), > the key-bearing element SHOULD be ordered to precede the > key-using Element:" > >It appears to me that the "MUST" in 922-925 would override the >"SHOULD" in lines 442-445. In particular, lines 922-925 say >the prepending is to existing content and does not exclude >key-bearing elements. > >In order to resolve this I think it is necessary to decide if >key-bearing elements "MUST" appear before key-referencing elements >related to the same key, and that a little more explanatory text >be included to make it clear when a Signature is prepended to the >content vs being inserted before the appropriate key-bearing >element. > >That all being said, maybe I am still missing something, but it >appears to me that the text segments referenced above are in conflict. > > Rich Levinson > >-----Original Message----- >From: Chris Kaler [mailto:ckaler@microsoft.com] >Sent: Wednesday, January 14, 2004 9:10 AM >To: wss@lists.oasis-open.org >Subject: RE: [wss] Issue 13, Lines 856-858 in Core, discussed at the call >today > > >Do we all agree then on removing it? Speak now... > >-----Original Message----- >From: DeMartini, Thomas [mailto:Thomas.DeMartini@CONTENTGUARD.COM] >Sent: Tuesday, January 13, 2004 3:42 PM >To: wss@lists.oasis-open.org >Subject: RE: [wss] Issue 13, Lines 856-858 in Core, discussed at the call >today > >This sounds great. I think if we go with this, the intention should be >clear. > >Since the normative rules are laid out in section 5, this section can be >informative and we can replace both of the "SHOULDs" with lowercase "would". >This should address the concerns of those who would not like to see the >normative material repeated as well as the concerns of those who would like >to have seen more clarifying text. > >&Thomas. > >So, with the replacements, it would look like this: > > Finally, if a producer wishes to sign a message before encryption, > then following the ordering rules laid out in section 5, "Security > Header", they would first prepend the signature element to the > <wsse:Security> header, and then prepend the encryption element, > resulting in a <wss:Security> header that has the encryption element > first, followed by the signature element: > > +------------------------+ > | <wsse:Security> header | > +------------------------+ > | [encryption element] | > | [signature element] | > | : | > | : | > +------------------------+ > > Likewise, if a producer wishes to sign a message after encryption, > they would first prepend the encryption element to the <wsse:Security> > header, and then prepend the signature element. This will result in a > <wsse:Security> header that has the signature element first, followed > by the encryption element: > > +------------------------+ > | <wsse:Security> header | > +------------------------+ > | [signature element] | > | [encryption element] | > | : | > | : | > +------------------------+ > > >-----Original Message----- >From: Gene Thurston [mailto:gthurston@amberpoint.com] >Sent: Tuesday, January 13, 2004 3:24 PM >To: wss@lists.oasis-open.org >Subject: RE: [wss] Issue 13, Lines 856-858 in Core, discussed at the call >today > >I guess I agree with Ron. When I read the text on lines on lines 856-858, >it sounds like I have to do something "different". But, unless I do not >understand the gist of the conversation, I basically just need to follow the >standard rules as laid out in the paragraph starting on line 435. > >While Thomas' proposed replacement text is better than what is there now, >let me suggest another, more verbose, alternative: > > Finally, if a producer wishes to sign a message before encryption, > then following the ordering rules laid out in section 5, "Security > Header", they SHOULD first prepend the signature element to the > <wsse:Security> header, and then prepend the encryption element, > resulting in a <wss:Security> header that has the encryption element > > first, followed by the signature element: > > +------------------------+ > | <wsse:Security> header | > +------------------------+ > | [encryption element] | > | [signature element] | > | : | > | : | > +------------------------+ > > Likewise, if a producer wishes to sign a message after encryption, > they SHOULD first prepend the encryption element to the <wsse:Security> > header, and then prepend the signature element. This will result in a > <wsse:Security> header that has the signature element first, followed > by the encryption element: > > +------------------------+ > | <wsse:Security> header | > +------------------------+ > | [signature element] | > | [encryption element] | > | : | > | : | > +------------------------+ > > > >-----Original Message----- >From: Ron Monzillo [mailto:Ronald.Monzillo@Sun.COM] >Sent: Tuesday, January 13, 2004 11:41 AM >To: DeMartini, Thomas >Cc: wss@lists.oasis-open.org >Subject: Re: [wss] Issue 13, Lines 856-858 in Core, discussed at the call >today > >Thomas, > >I would prefer that the two existing sentences simply be removed. I find > >them >incongruous WRT the description of algorithms which preceeds them and, >as was >pointed out in the call, they can be read to mean that a producer >somehow should >change the order of existing signature and encryption elements in a header. > >I think the text beginning at line 435 and also that of section 9.4 >define how signature >and encryption elements must be ordered. > >That said, I think your text is an improvement over what's in the doc. > >Ron > >DeMartini, Thomas wrote: > > > I can understand the meaning of 856-858 when read in context, so I > > don't think a change is absolutely necessary. However, I would like to > > > offer the following text, which I think more clearly states the > > intention of these lines: > > > > > > "Finally, if a producer wishes to sign a message before encryption, > > they SHOULD place the signature element after the encryption element > > inside of the <wsse:Security> header. If a producer wishes to sign a > > message after encryption, they SHOULD place the signature element > > before the encryption element inside of the <wsse:Security> header." > > > > instead of > > > > "Finally, if a producer wishes to sign a message before encryption, > > they SHOULD alter the order of the signature and encryption elements > > inside of the <wsse:Security> header. This order of elements > > represents order of operations." > > > > If there is disagreement with the proposed clarification, I am fine > > with the existing text. > > > > &Thomas. > > > > >To unsubscribe from this mailing list (and be removed from the roster of the >OASIS TC), go to >http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup >.php. > > > >To unsubscribe from this mailing list (and be removed from the roster of the >OASIS TC), go to >http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup >.php. > > >To unsubscribe from this mailing list (and be removed from the roster of the >OASIS TC), go to >http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup >.php. > > >To unsubscribe from this mailing list (and be removed from the roster of the >OASIS TC), go to >http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php >. > >To unsubscribe from this mailing list (and be removed from the roster of >the OASIS TC), go to >http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]