OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] examples of signing element(s) in security header

It seems to be solved. (Thanks, Thomas)

For key-bearing elements, folowing rule will be applied to it.
| key-bearing element SHOULD be ordered to precede the key-using Element:

For a Timestamp element, if I assume the following step:
- make a Timestamp element
- sign the Timestamp element and the SOAP body (producing a Signature
  element)
- put the Timestamp element and the Signature element in the Security
  header at a time
then, both ordering is possible.

---
Toshi

At Tue, 01 Feb 2005 19:13:34 +0900,
NISHIMURA Toshihiro wrote:
> We have the following prepending rule (RECOMMENDATION):
> | As elements are added to a <wsse:Security> header block, they SHOULD
> | be prepended to the existing elements.
> 
> When we want to add a security timestamp and sign it, according to the
> rule above, we should prepend Timestamp element first and then prepend
> Signature element. The structure would be:
> <wsse:Security>
>   <ds:Signature> (signing the Timestamp)
>   <wsu:Timestamp> (to be signed)
> 
> But, current example in chapter 11 of core has following structure:
> <wsse:Security>
>   <wsu:Timestamp wsu:Id="T0">
>   <ds:Signature>
>     <ds:SignedInfo>
>       <ds:Reference URI="#T0">
> 
> 
> Similarly, when we want to sign a token (or token reference) in the
> same Security header, we should prepend the token (reference) first
> and then prepend Signature element.
> <wsse:Security>
>   <ds:Signature> (signing the token (reference))
>   <some token (reference)> (to be signed)
> Current examples in the following documents/sections do not have the
> elements in this order.
>  - core / section 8.3
>  - X.509 profile / section 3.3.2
>  - REL profile / section 3.4 (the second and the third examples in
>    this section
>  - SAML profile / section 3.3.3 and section 3.4.2.3
> 
> Am I misunderstanding something?
> Or should these examples be corrected in errata?
> ---
> NISHIMURA Toshihiro (FAMILY Given)
> nishimura.toshi@jp.fujitsu.com
> STRATEGY AND TECHNOLOGY DIV., SOFTWARE GROUP, FUJITSU LIMITED
> 
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.
> 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]