----- Original Message -----
Sent: Thursday, December 09, 2004 12:29
PM
Subject: RE: [wss] SwA Profile draft 15
vote Dec 14
The transform does not modify the message, rather it
produces output that can be used as input to reference digest operation. I
don't understand the issue of angle bracket removal.
regards, Frederick
Frederick Hirsch
Nokia
Frederick,
Regarding #2, I'm not sure I understand the issue. In either case the
transform would include the angle brackets as part of the header value (used
for the digest) and in each case this header would have those brackets (as
part of a correct Content-ID header). This is orthogonal to how the URI is
formed to reference the attachment and how cid resolution is
performed.
I think the answer is "yes", Content-ID header values
must include angle brackets.
There is no
argument on what needs to be signed. The doc makes it very clear why
"<>" need to be included for the attachment complete transform. My
dilemma is about what should be the receiver (or security processing layer on
the receiver side) doing after the verification of the signature. Should it
restore the original content-id (without "<>") or leave them "<>"
as they are? If it removes them and there are swa-refs to the same
attachment, swa-ref processing will fail. If it leaves them as is and there
are no swa-refs, getting the attachment using original "content-id" will
fail.
/t$r
(Ramana Turlapati)
regards, Frederick
Frederick Hirsch
Nokia
Frederick,
Here are couple of items that need
clarification.
1. Section 4.2 Referencing
Attachments
--------------------------------------------------------------
I know this has been brought up in TC and
nobody had any objections for this limitation of not supporting referencing
using content location header.
I look at change log and see that initially SwA
supported CID scheme only. At a later pt of time (06/12/04) we included
support for Content Location and removed in the latest
draft. Do we know what was the basis of its inclusion, were we addressing a
specific requirement then?
On the same lines, is it appropriate for a WSS
Profile to limit the usage on grounds of interoperability and simplicity, or
is it something that BSP should do?
2. Section 4.4.1 Step 7
---------------------------------
Imagine a scenario where there are two
SOAP Envelopes, one with an attachment that is not referenced from the
SOAP:Body , another with the same attachment referenced from SOAP:Body (ala
swa-ref).
Now if these attachments are signed using
attachment complete transform, in the first as well as second case, the
signature is computed with content-id and "<" brackets. Now how does the
receiver of these requests know what to restore as the real content-id of
the attachment ? Am I correct in thinking that in the latter case "<>"
have to be retained as the downstream swa-ref processing is expecting to see
it.
/t$r
(Ramana Turlapati)
----- Original Message -----
Sent: Tuesday, December 07, 2004 6:13
AM
Subject: [wss] SwA Profile draft 15
vote Dec 14
This is a
reminder that we plan to vote on the SwA profile, draft 15 [1] for
Committee Draft, next Tuesday, 14 Dec.
Please review
the specification in advance and post any issues to the WSS mailling
list.
Thank
you.
regards, Frederick
Frederick Hirsch
Nokia
PDF with diff
marks: