[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] SOAP with Attachments Proposal
At 01:58 PM 6/10/2004, Maneesh Sahu wrote: >Hi Frederick, > >I noticed a few SOAP toolkits like WebMethods Glue that use >Content-Location instead of Content-Id and I haven't seen any >information in the WS-I documents that prohibit the use of this header. >Correlating the two aspects we should support attachments using these >references. The issue isn't what headers are present in the MIME encoded message but what kind of URI can be used to reference an attachment. Do you have something concrete in mind? >--ms > >-----Original Message----- >From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] >Sent: Thursday, June 10, 2004 1:39 PM >To: Maneesh Sahu; wss@lists.oasis-open.org >Subject: RE: [wss] SOAP with Attachments Proposal > >Maneesh > >Thank you for your comments. I've put editor notes in the next draft to >reflect them. > >Yes, adding a transform to indicate that all attachments must be >included in a single <ds:Reference> hash sounds useful for addressing >the attachment insertion/deletion threat without needing to secure the >entire multipart message. (i.e. this would not include the primary SOAP >part). > >Content-Location would require more complicated resolution mechanisms >and it may be simpler to only specify Content-Id. Is there a strong >reason to allow both when a sender should be capable of using >Content-Id? > > >regards, Frederick > >Frederick Hirsch >Nokia > > > > > -----Original Message----- > > From: ext Maneesh Sahu [mailto:maneesh@westbridgetech.com] > > Sent: Thursday, June 03, 2004 2:42 PM > > To: wss@lists.oasis-open.org > > Subject: FW: [wss] SOAP with Attachments Proposal > > > > > > Forgot to copy the list...I am forwarding the mail I sent to the SwA > > profile authors. > > > > --ms > > > > -----Original Message----- > > From: Maneesh Sahu > > Sent: Thursday, June 03, 2004 11:15 AM > > To: 'Frederick.Hirsch@nokia.com' > > Cc: 'mikemci@us.ibm.com'; 'jerry.schwarz@oracle.com' > > Subject: RE: [wss] SOAP with Attachments Proposal > > > > Hi Frederick, > > > > The WSS SwA profile is very useful. > > > > I had some feedback about the document. > > > > Page 5- "Securing SOAP with Attachments" paragraph 2 says that > > "Attachments may be referenced using a CID scheme URL to refer to the > > attachment that has a Content-ID MIME header value that corresponds to > > the URL scheme,..." > > > > It will be useful to refer to the attachment using the > > Content-Location > > MIME header as well. Content-Locations can be referenced using both > > relative and absolute paths. > > > > I am also thinking about the impact of SwA on other profiles > > like SAML. > > There are certain scenarios in the WSS SAML profile like holder-of-key > > where the SOAP body needs to be signed for message integrity. If the > > request is SwA then the Body along with all the attachments must be > > signed. > > > > Should there be a dsig transform like sign all attachments? > > This way if > > an attachment was added to the request after the request was signed, > > message tampering can be detected. > > > > > > Regards > > Maneesh Sahu > > Westbridge Technology > > > > > > -----Original Message----- > > From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] > > Sent: Friday, May 28, 2004 11:01 AM > > To: wss@lists.oasis-open.org > > Cc: mikemci@us.ibm.com; jerry.schwarz@oracle.com; > > Frederick.Hirsch@nokia.com > > Subject: [wss] SOAP with Attachments Proposal > > > > Enclosed is a draft profile for securing SOAP with Attachments (SwA) > > using WSS SOAP Message Security. > > > > I am sending this to close the action item recorded on the > > 5/18/04 call > > to submit a proposal, related to issues 285, 268, and 129, taken by > > Mike McIntosh, Jerry Schwarz and myself. > > > > We intend this as a starting point for members of the WSS TC > > to discuss > > and improve. > > > > Thanks > > > > regards, Frederick > > > > Frederick Hirsch > > Nokia > > > > <<wss-swa-profile-1.0-draft-03.pdf>> > > > > > > > > To unsubscribe from this mailing list (and be removed from > > the roster of the OASIS TC), go to > > http://www.oasis-open.org/apps/org/workgroup/wss/members/leave > > _workgroup.php. > > > > > > > > >To unsubscribe from this mailing list (and be removed from the roster of >the OASIS TC), go to >http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]