OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] Attachment Profile Question/Comment


I agree with Blake that placing the EncryptedData in a separate <Header> 
element is the wrong approach. I think the right approach is (as Blake 
suggests) to put the EncryptedData and Signature elements into the 
wsse:Security so that if they are processed in front to back order the 
right sequence of events happens.

I think section 2 could be clarified with regards to how the processing is 
triggered and when the replacements occur.  Specifically is it triggered by 
the presence of an xenc:EncryptedData element at the top level of a 
wsse:Security element with type "url-attachment-with-mime-headers".

At 12:01 PM 6/24/2004, Blake Dournaee wrote:
>All,
>
>I had a comment/question regarding the WSS SwA profile.
>
>In section 2.3, the motivation for the decryption transform is driven in
>part by the use of dual <S11:Header> elements. It seems to me that the order
>of digital signatures and encryption can indeed be discerned if the
>operations are "stacked" (operations are pre-pended) inside a single
><S11:Header>/<wsse:Security> element, similar to what is done for pure WSS.
>
>My concern here is that people reading this specification will assume
>(wrongly) that in order to meet the profile for signing and encryption of
>attachments they must (a) use a distinct header block for each operation and
>(b) use the decryption transform in all cases.
>
>Can we make a clarification regarding signing and encryption of attachments?
>I personally would like to see some text that describes the case where
>signing and encryption of attachments is done within a single
><wsse:Security> block, with subsequent operations pre-pended, thus
>eliminating the need for the decryption transform. Unless I am missing
>something the example given in 2.2.3 may be overly complicated from the
>paradigm case.
>
>Regards,
>
>Blake Dournaee
>Senior Security Architect
>Sarvega, Inc.
>
>
>
>
>
>To unsubscribe from this mailing list (and be removed from the roster of 
>the OASIS TC), go to 
>http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]