[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss] Attachment Profile Question/Comment
I agree with Blake that placing the EncryptedData in a separate <Header> element is the wrong approach. I think the right approach is (as Blake suggests) to put the EncryptedData and Signature elements into the wsse:Security so that if they are processed in front to back order the right sequence of events happens. I think section 2 could be clarified with regards to how the processing is triggered and when the replacements occur. Specifically is it triggered by the presence of an xenc:EncryptedData element at the top level of a wsse:Security element with type "url-attachment-with-mime-headers". At 12:01 PM 6/24/2004, Blake Dournaee wrote: >All, > >I had a comment/question regarding the WSS SwA profile. > >In section 2.3, the motivation for the decryption transform is driven in >part by the use of dual <S11:Header> elements. It seems to me that the order >of digital signatures and encryption can indeed be discerned if the >operations are "stacked" (operations are pre-pended) inside a single ><S11:Header>/<wsse:Security> element, similar to what is done for pure WSS. > >My concern here is that people reading this specification will assume >(wrongly) that in order to meet the profile for signing and encryption of >attachments they must (a) use a distinct header block for each operation and >(b) use the decryption transform in all cases. > >Can we make a clarification regarding signing and encryption of attachments? >I personally would like to see some text that describes the case where >signing and encryption of attachments is done within a single ><wsse:Security> block, with subsequent operations pre-pended, thus >eliminating the need for the decryption transform. Unless I am missing >something the example given in 2.2.3 may be overly complicated from the >paradigm case. > >Regards, > >Blake Dournaee >Senior Security Architect >Sarvega, Inc. > > > > > >To unsubscribe from this mailing list (and be removed from the roster of >the OASIS TC), go to >http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]