----- Original Message -----
Sent: Thursday, December 09, 2004 12:29
PM
Subject: RE: [wss] SwA Profile draft 15
vote Dec 14
The transform does not modify the message, rather it
produces output that can be used as input to reference digest operation. I
don't understand the issue of angle bracket removal.
regards, Frederick
Frederick Hirsch
Nokia
Frederick,
Regarding #2, I'm not sure I understand the issue. In either case
the transform would include the angle brackets as part of the header value
(used for the digest) and in each case this header would have those
brackets (as part of a correct Content-ID header). This is orthogonal to
how the URI is formed to reference the attachment and how cid resolution
is performed.
I think the answer is "yes", Content-ID header values
must include angle brackets.
There is no
argument on what needs to be signed. The doc makes it very clear why
"<>" need to be included for the attachment complete transform. My
dilemma is about what should be the receiver (or security processing layer
on the receiver side) doing after the verification of the signature. Should
it restore the original content-id (without "<>") or leave them
"<>" as they are? If it removes them and there are swa-refs to
the same attachment, swa-ref processing will fail. If it leaves them as is
and there are no swa-refs, getting the attachment using original
"content-id" will fail.
/t$r
(Ramana Turlapati)
regards, Frederick
Frederick Hirsch
Nokia
Frederick,
Here are couple of items that need
clarification.
1. Section 4.2 Referencing
Attachments
--------------------------------------------------------------
I know this has been brought up in TC and
nobody had any objections for this limitation of not supporting
referencing using content location header.
I look at change log and see that initially
SwA supported CID scheme only. At a later pt of time (06/12/04) we
included support for Content Location and removed in the
latest draft. Do we know what was the basis of its inclusion, were we
addressing a specific requirement then?
On the same lines, is it appropriate for a
WSS Profile to limit the usage on grounds of interoperability and
simplicity, or is it something that BSP should do?
2. Section 4.4.1 Step 7
---------------------------------
Imagine a scenario where there are two
SOAP Envelopes, one with an attachment that is not referenced from the
SOAP:Body , another with the same attachment referenced from SOAP:Body
(ala swa-ref).
Now if these attachments are signed using
attachment complete transform, in the first as well as second case, the
signature is computed with content-id and "<" brackets. Now how does
the receiver of these requests know what to restore as the real content-id
of the attachment ? Am I correct in thinking that in the latter case
"<>" have to be retained as the downstream swa-ref processing is
expecting to see it.
/t$r
(Ramana Turlapati)
----- Original Message -----
Sent: Tuesday, December 07, 2004
6:13 AM
Subject: [wss] SwA Profile draft 15
vote Dec 14
This is a
reminder that we plan to vote on the SwA profile, draft 15 [1] for
Committee Draft, next Tuesday, 14 Dec.
Please
review the specification in advance and post any issues to the WSS
mailling list.
Thank
you.
regards, Frederick
Frederick Hirsch
Nokia
PDF with
diff marks: