OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] SOAP with Attachments Proposal

Maneesh

Thank you for your comments. I've put editor notes in the next draft to reflect them.

Yes, adding a transform to indicate that all attachments must be included in a single <ds:Reference> hash sounds useful for addressing the attachment insertion/deletion threat without needing to secure the entire multipart message. (i.e. this would not include the primary SOAP part). 

Content-Location would require more complicated resolution mechanisms and it may be simpler to only specify Content-Id. Is there a strong reason to allow both when a sender should be capable of using Content-Id?


regards, Frederick

Frederick Hirsch
Nokia



> -----Original Message-----
> From: ext Maneesh Sahu [mailto:maneesh@westbridgetech.com]
> Sent: Thursday, June 03, 2004 2:42 PM
> To: wss@lists.oasis-open.org
> Subject: FW: [wss] SOAP with Attachments Proposal
> 
> 
> Forgot to copy the list...I am forwarding the mail I sent to the SwA
> profile authors.
> 
> --ms
> 
> -----Original Message-----
> From: Maneesh Sahu 
> Sent: Thursday, June 03, 2004 11:15 AM
> To: 'Frederick.Hirsch@nokia.com'
> Cc: 'mikemci@us.ibm.com'; 'jerry.schwarz@oracle.com'
> Subject: RE: [wss] SOAP with Attachments Proposal
> 
> Hi Frederick,
> 
> The WSS SwA profile is very useful. 
> 
> I had some feedback about the document.
> 
> Page 5- "Securing SOAP with Attachments" paragraph 2 says that
> "Attachments may be referenced using a CID scheme URL to refer to the
> attachment that has a Content-ID MIME header value that corresponds to
> the URL scheme,..."
> 
> It will be useful to refer to the attachment using the 
> Content-Location
> MIME header as well. Content-Locations can be referenced using both
> relative and absolute paths. 
> 
> I am also thinking about the impact of SwA on other profiles 
> like SAML.
> There are certain scenarios in the WSS SAML profile like holder-of-key
> where the SOAP body needs to be signed for message integrity. If the
> request is SwA then the Body along with all the attachments must be
> signed. 
> 
> Should there be a dsig transform like sign all attachments? 
> This way if
> an attachment was added to the request after the request was signed,
> message tampering can be detected.
> 
>  
> Regards
> Maneesh Sahu
> Westbridge Technology
> 
> 
> -----Original Message-----
> From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] 
> Sent: Friday, May 28, 2004 11:01 AM
> To: wss@lists.oasis-open.org
> Cc: mikemci@us.ibm.com; jerry.schwarz@oracle.com;
> Frederick.Hirsch@nokia.com
> Subject: [wss] SOAP with Attachments Proposal
> 
> Enclosed is a draft profile for securing SOAP with Attachments (SwA)
> using WSS SOAP Message Security.
> 
> I am sending this to close the action item recorded on the 
> 5/18/04 call
> to submit a proposal, related to  issues 285, 268, and 129, taken by
> Mike McIntosh, Jerry Schwarz and myself.
> 
> We intend this as a starting point for members of the WSS TC 
> to discuss
> and improve. 
> 
> Thanks
> 
> regards, Frederick
> 
> Frederick Hirsch
> Nokia
> 
>  <<wss-swa-profile-1.0-draft-03.pdf>> 
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from 
> the roster of the OASIS TC), go to 
> http://www.oasis-open.org/apps/org/workgroup/wss/members/leave
> _workgroup.php.
> 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]