OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Attachment Profile Question/Comment


All,

I had a comment/question regarding the WSS SwA profile.

In section 2.3, the motivation for the decryption transform is driven in
part by the use of dual <S11:Header> elements. It seems to me that the order
of digital signatures and encryption can indeed be discerned if the
operations are "stacked" (operations are pre-pended) inside a single
<S11:Header>/<wsse:Security> element, similar to what is done for pure WSS.

My concern here is that people reading this specification will assume
(wrongly) that in order to meet the profile for signing and encryption of
attachments they must (a) use a distinct header block for each operation and
(b) use the decryption transform in all cases.

Can we make a clarification regarding signing and encryption of attachments?
I personally would like to see some text that describes the case where
signing and encryption of attachments is done within a single
<wsse:Security> block, with subsequent operations pre-pended, thus
eliminating the need for the decryption transform. Unless I am missing
something the example given in 2.2.3 may be overly complicated from the
paradigm case.

Regards,

Blake Dournaee
Senior Security Architect
Sarvega, Inc.






[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]