RE: [wss] Quoting Issues

["Martin Gudgin" <mgudgin@microsoft.com>]

AFAICT you only have to quote parameters in MIME headers when those parameters might contain a semicolon. This is so that the MIME header parser can figure out where the parameter boundaries are. The Content-Type: "text/xml" and Content-Type: "image/jpeg" example below do not need to be quoted. Text based types are often quoted because they may carry a charset parameter. e.g. Content-Type: "text/xml; charset=UTF-8"

Gudge 

P.S. Your example below is missing a semicolon after the boundary parameter.

> -----Original Message-----
> From: Blake Dournaee [mailto:blake@sarvega.com] 
> Sent: 18 October 2004 13:37
> To: 'Bruce Rich'; Frederick.Hirsch@nokia.com
> Cc: wss@lists.oasis-open.org
> Subject: [wss] Quoting Issues
> 
> Frederick, Bruce -
> 
> Now that I've got the time to think about the issue with quoting, this
> brings up an important question regarding when MIME Canonicalization
> actually applies.
> 
> For example, Bruce is arguing that certain MIME header 
> parameter values that
> use the forward should be encased in double quotes. For 
> example, our SOAP
> message packages should look like this:
> 
> Content-Type: multipart/related; boundary="sig-example" 
> type="text/xml"
> --sig-example
> Content-Type: "text/xml"
> 
> <?xml version="1.0" encoding="utf-8" ?>
> <foo/>
> 
> --sig-example
> Content-Type: "image/jpeg"
> Content-Id: <signature>
> Content-Transfer-Encoding: base64
> 
> Dcg3AdGFcFs3764fddSArk
> 
> 
> I have no problem using this rule in the example for the SwA profile
> scenarios to aid interoperability. One note, however, is if 
> you look at the
> SwA note (http://www.w3.org/TR/SOAP-attachments), double 
> quotes are not
> used. I'm not sure if this matters if they are wrong about 
> the use of double
> quotes.
> 
> The question here, however, is that in the specific case where the
> Attachment-Content-Only transform is used, a SwA Profile 
> implementation
> *should not* touch the headers at all.
> 
> That is, the Canonicalization rules Frederick has formalized 
> in the profile
> is a "code path" that should not be followed when the MIME 
> headers are not
> included in the signing or encryption. In other words, when we're not
> signing or encrypting the MIME headers, we don't need to 
> canonicalize them. 
> 
> Or do we? 
> 
> In the current SwA profile, the MIME Canonicalization rules 
> only seem to
> come into play when the Attachment-Complete transform is utilized.
> 
> To circle back to my conclusion: Given the way the SwA 
> profile is written
> currently, we can't enforce the double quote rule unless we 
> also enforce
> MIME header Canonicalization in all cases. 
> 
> Blake
> 
> 
> ________________________________________
> From: Bruce Rich [mailto:brich@us.ibm.com] 
> Sent: Tuesday, October 12, 2004 8:16 AM
> To: Frederick.Hirsch@nokia.com
> Cc: blake@sarvega.com
> Subject: RE: [wss] SwA Interop Scenarios
> 
> 
> It would fix the problem that I was having, but is a bit draconian. 
> I think that it is only strictly required when the parameters 
> embed MIME
> special characters, which would be something from this set: 
> ()<>@,;:\\\"\t []/?= 
> 
> Bruce A Rich
> brich@us.ibm.com
> 
> 
> <Frederick.Hirsch@nokia.com> 
> 10/12/2004 09:50 AM 
> To
> <blake@sarvega.com>, Bruce Rich/Austin/IBM@IBMUS 
> cc
> 
> Subject
> RE: [wss] SwA Interop Scenarios
> 
> 
> 
> 
> 
> 
> 
> I've gotten feedback from Dana Kaufman (Forum Systems) on 
> section 4.3.1,
> header canonicalization, and have added this statement (among others,
> new draft out later today):
> 
> "Enclosing double-quotes MUST be added to MIME header parameter values
> that do not already contain enclosing quotes. Quoted characters other
> than double-quote and backslash ("\") in MIME header parameter values
> MUST be unquoted. Double-quote and backslash characters in MIME
> parameter values MUST be character encoded."
> 
> I think this would resolve this issue, since the canonicalized "type"
> value in your example would be quoted.
> 
> Does this resolve this issue?
> 
> 
> regards, Frederick
> 
> Frederick Hirsch
> Nokia 
> 
> 
> 
> ________________________________
> 
> From: ext Blake Dournaee [mailto:blake@sarvega.com] 
> Sent: Monday, October 11, 2004 9:20 PM
> To: 'Bruce Rich'
> Cc: Hirsch Frederick (Nokia-TP/Boston)
> Subject: RE: [wss] SwA Interop Scenarios
> 
> 
> 
> Hi Bruce,
> 
> 
> 
> This is a good question, and I'm copying Frederick Hirsch to see if he
> can make a statement regarding the appropriate MIME version 
> that should
> apply. Since the scenarios are based around the OASIS WS-Security SwA
> Profile, we may want to make a statement to this effect that document
> instead and have the interoperability scenarios inherit this decision.
> 
> 
> 
> I was under the assumption that the quotes were optional, but I may be
> wrong.
> 
> 
> 
> FYI, I should be adding more scenarios (probably 2) that also 
> cover the
> case where the MIME attachments should be signed/encrypted.
> 
> 
> 
> Thanks,
> 
> 
> 
> Blake Dournaee
> 
> Senior Security Architect
> 
> Sarvega, Inc.
> 
> 
> 
> ________________________________
> 
> From: Bruce Rich [mailto:brich@us.ibm.com] 
> Sent: Monday, October 11, 2004 1:43 PM
> To: Blake Dournaee
> Subject: Re: [wss] SwA Interop Scenarios
> 
> 
> 
> 
> Blake, 
> 
> I'm OK with the scenarios you proposed. 
> 
> One thing I'm a bit curious about is whether the following 
> line is valid
> MIME 
> 
> Content-Type: multipart/related; boundary="sig-example" type=text/xml 
> 
> My parser allows the slash on multipart/related, but is nonplussed to
> find it on type=text/xml 
> without quotes around the text/xml part.  Given the multiple RFCs that
> might apply, which one is most definitive for this case? 
> 
> Bruce A Rich
> brich@us.ibm.com
> 
> 
> 
> 
> "Blake Dournaee" <blake@sarvega.com> 
> 
> 09/02/2004 03:41 PM 
> 
>                 To
> 
>                 <wss@lists.oasis-open.org> 
> 
>                 
> cc
> 
>                  
> 
>                 
> Subject
> 
>                 [wss] SwA Interop Scenarios
> 
>                 
> 
> 
> 
> 
> 
>                  
> 
>                 
> 
> 
> 
> 
> All,
> 
> Right now I am planning three simple interop scenarios for the SwA
> profile.
> Right now I am leaving the headers out of scope until we decide on how
> to
> handle them exactly.
> 
> I am proposing the following three scenarios. Please let me 
> know if you
> have
> any comments or concerns about these. These are a good starting point
> and I
> anticipate we will add more variables based on demand:
> 
> Scenario #1: Attachment Signature where the attachment content type is
> fixed
> at image/jpeg and the reference mechanism is Content-Id. The signature
> will
> be based on an X.509 certificate
> 
> Scenario #2: Attachment Encryption where the attachment 
> content type is
> fixed at image/jpeg using a shared secret for encryption, which is
> wrapped
> with a public key. Content-Id is used for the reference mechanism.
> 
> Scenario #3: Attachment Signature + Encryption where the 
> content type is
> fixed at text/xml. Similar mechanisms as above for keys and 
> algorithms.
> 
> Regards,
> 
> Blake
> 
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from 
> the roster of
> the OASIS TC), go to
> http://www.oasis-open.org/apps/org/workgroup/wss/members/leave
_workgroup
> .php.
> 
> 
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from 
> the roster of the OASIS TC), go to 
> http://www.oasis-open.org/apps/org/workgroup/wss/members/leave
_workgroup.php.
> 
>