OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] SwA Profile draft 15 vote Dec 14

Frederick,
Regarding #2, I'm not sure I understand the issue. In either case the transform would include the angle brackets as part of the header value (used for the digest) and in each case this header would have those brackets (as part of a correct Content-ID header). This is orthogonal to how the URI is formed to reference the attachment and how cid resolution is performed.
 
I think the answer is "yes", Content-ID header values must include angle brackets.
There is no argument on what needs to be signed. The doc makes it very clear why "<>" need to be included for the attachment complete transform. My dilemma is about what should be the receiver (or security processing layer on the receiver side) doing after the verification of the signature. Should it restore the original content-id (without "<>") or leave them "<>" as they are?  If it removes them and there are swa-refs to the same attachment, swa-ref processing will fail. If it leaves them as is and there are no swa-refs, getting the attachment using original "content-id" will fail.
 
 
/t$r
(Ramana Turlapati)
regards, Frederick

Frederick Hirsch
Nokia
 

From: ext Ramana Turlapati [mailto:ramana.rao.turlapati@oracle.com]
Sent: Wednesday, December 08, 2004 5:49 PM
To: Hirsch Frederick (Nokia-TP/Boston); wss@lists.oasis-open.org
Subject: Re: [wss] SwA Profile draft 15 vote Dec 14

Frederick,
 
Here are couple of items that need clarification.
 
1. Section 4.2  Referencing Attachments
--------------------------------------------------------------
I know this has been brought up in TC and nobody had any objections for this limitation of not supporting referencing using content location header.
 
I look at change log and see that initially SwA supported CID scheme only. At a later pt of time (06/12/04) we included support for  Content Location and removed in the latest draft. Do we know what was the basis of its inclusion, were we addressing a specific requirement then?
 
On the same lines, is it appropriate for a WSS Profile to limit the usage on grounds of interoperability and simplicity, or is it something that BSP should do?
 
 
2. Section 4.4.1 Step 7
---------------------------------
Imagine a scenario where there are two SOAP Envelopes, one with an attachment that is not referenced from the SOAP:Body , another with the same attachment referenced from SOAP:Body (ala swa-ref).
 
Now if these attachments are signed using attachment complete transform, in the first as well as second case, the signature is computed with content-id and "<" brackets. Now how does the receiver of these requests know what to restore as the real content-id of the attachment ? Am I correct in thinking that in the latter case "<>" have to be retained as the downstream swa-ref processing is expecting to see it.
 
 
/t$r
(Ramana Turlapati)
----- Original Message -----
Sent: Tuesday, December 07, 2004 6:13 AM
Subject: [wss] SwA Profile draft 15 vote Dec 14

This is a reminder that we plan to vote on the SwA profile, draft 15 [1] for Committee Draft, next Tuesday, 14 Dec.
 
Please review the specification in advance and post any issues to the WSS mailling list.
 
Thank you.

regards, Frederick

Frederick Hirsch
Nokia

 
PDF with diff marks:
 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]