[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] SOAP with Attachments Proposal
Hi Frederick, I noticed a few SOAP toolkits like WebMethods Glue that use Content-Location instead of Content-Id and I haven't seen any information in the WS-I documents that prohibit the use of this header. Correlating the two aspects we should support attachments using these references. --ms -----Original Message----- From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] Sent: Thursday, June 10, 2004 1:39 PM To: Maneesh Sahu; wss@lists.oasis-open.org Subject: RE: [wss] SOAP with Attachments Proposal Maneesh Thank you for your comments. I've put editor notes in the next draft to reflect them. Yes, adding a transform to indicate that all attachments must be included in a single <ds:Reference> hash sounds useful for addressing the attachment insertion/deletion threat without needing to secure the entire multipart message. (i.e. this would not include the primary SOAP part). Content-Location would require more complicated resolution mechanisms and it may be simpler to only specify Content-Id. Is there a strong reason to allow both when a sender should be capable of using Content-Id? regards, Frederick Frederick Hirsch Nokia > -----Original Message----- > From: ext Maneesh Sahu [mailto:maneesh@westbridgetech.com] > Sent: Thursday, June 03, 2004 2:42 PM > To: wss@lists.oasis-open.org > Subject: FW: [wss] SOAP with Attachments Proposal > > > Forgot to copy the list...I am forwarding the mail I sent to the SwA > profile authors. > > --ms > > -----Original Message----- > From: Maneesh Sahu > Sent: Thursday, June 03, 2004 11:15 AM > To: 'Frederick.Hirsch@nokia.com' > Cc: 'mikemci@us.ibm.com'; 'jerry.schwarz@oracle.com' > Subject: RE: [wss] SOAP with Attachments Proposal > > Hi Frederick, > > The WSS SwA profile is very useful. > > I had some feedback about the document. > > Page 5- "Securing SOAP with Attachments" paragraph 2 says that > "Attachments may be referenced using a CID scheme URL to refer to the > attachment that has a Content-ID MIME header value that corresponds to > the URL scheme,..." > > It will be useful to refer to the attachment using the > Content-Location > MIME header as well. Content-Locations can be referenced using both > relative and absolute paths. > > I am also thinking about the impact of SwA on other profiles > like SAML. > There are certain scenarios in the WSS SAML profile like holder-of-key > where the SOAP body needs to be signed for message integrity. If the > request is SwA then the Body along with all the attachments must be > signed. > > Should there be a dsig transform like sign all attachments? > This way if > an attachment was added to the request after the request was signed, > message tampering can be detected. > > > Regards > Maneesh Sahu > Westbridge Technology > > > -----Original Message----- > From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] > Sent: Friday, May 28, 2004 11:01 AM > To: wss@lists.oasis-open.org > Cc: mikemci@us.ibm.com; jerry.schwarz@oracle.com; > Frederick.Hirsch@nokia.com > Subject: [wss] SOAP with Attachments Proposal > > Enclosed is a draft profile for securing SOAP with Attachments (SwA) > using WSS SOAP Message Security. > > I am sending this to close the action item recorded on the > 5/18/04 call > to submit a proposal, related to issues 285, 268, and 129, taken by > Mike McIntosh, Jerry Schwarz and myself. > > We intend this as a starting point for members of the WSS TC > to discuss > and improve. > > Thanks > > regards, Frederick > > Frederick Hirsch > Nokia > > <<wss-swa-profile-1.0-draft-03.pdf>> > > > > To unsubscribe from this mailing list (and be removed from > the roster of the OASIS TC), go to > http://www.oasis-open.org/apps/org/workgroup/wss/members/leave > _workgroup.php. > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]