RE: [wss] agenda - attachments

["de Boer, Martijn" <martijn.de.boer@sap.com>]

Hi,

On our last phone call we had a discussion on attachments. In one of the initial versions of the message security document, there was a section on how to encrypt attachments using XML encryption. The procedure is basically (taken from an email from Frederik Hirsch to wss@lists.oasis-open.org, 8.8.2003):

1. Encrypt attachment as octet sequence, serializing if necessary, following XML Encryption processing rules.
2. Replace the attachment content with the ciphertext.
3. Create the xenc:EncryptedData element as defined in XML Encryption and place it in the wsse:Security header. This EncryptedData element should have a xenc:CipherReference pointing to the attached cipher text.

 
Some thoughts on this approach:

1)	Attachments
 There are different understandings of what an attachment is. Either it can be an attachment generally understood as SOAP+attachment (http://www.w3.org/TR/2000/NOTE-SOAP-attachments-20001211) , or it be a SOAP message with XLink references (http://www.w3.org/TR/xlink/).  Depending on the attachment type, they may need to be handled differently.

2)	SOAP version
The above approach is making assumptions about the wire format of a SOAP message. For SOAP 1.1 this approach may be OK, as it is using XML 1.0 (->serialization using <SOAP:Envelope>....). SOAP 1.2 is using an abstract representation as XML infosets, so the approach of directly encrypting binary data will not work as this depends on the serialization of the SOAP message.

In SOAP 1.2 the SOAP application is responsible for resolving attachments, and as it is represented as XML infoset, there is no need to define mechanisms how attachments need to be encrypted. 

SOAP 1.1 is using a XML 1.0 representation; to support attachments with SOAP 1.1 we would need to define which kind of attachments to support and most likely define transformations for resolving the attachment data. Before making these steps, wouldn't it be better to use SOAP 1.2 for such scenarios?


Best Regards,

Martijn de Boer

-----Original Message-----
From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] 
Sent: Dienstag, 23. März 2004 15:45
To: wss@lists.oasis-open.org
Subject: [wss] agenda - attachments

Originally the SOAP Message Security specification included attachments, and this was removed.
Going forward, should the TC address SOAP with Attachments as part of the work or is this unnecessary given MTOM?

There may be some useful specification work regarding the handling of MIME headers as part of the security mechanisms.

Should this be added to the agenda as a discussion item for work going forward?

regards, Frederick

Frederick Hirsch
Nokia



To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.