wss message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [wss] examples of signing element(s) in security header
- From: Anthony Nadalin <drsecure@us.ibm.com>
- To: NISHIMURA Toshihiro <nishimura.toshi@jp.fujitsu.com>
- Date: Tue, 1 Feb 2005 20:01:52 -0600
I'm not sure that works, as you may have namespace issues since the namespaces may be different from when you sign the elements and then place them in the security header, you could have different namespaces.
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
NISHIMURA Toshihiro <nishimura.toshi@jp.fujitsu.com>
NISHIMURA Toshihiro <nishimura.toshi@jp.fujitsu.com>
02/01/2005 07:55 PM
|
|
It seems to be solved. (Thanks, Thomas)
For key-bearing elements, folowing rule will be applied to it.
| key-bearing element SHOULD be ordered to precede the key-using Element:
For a Timestamp element, if I assume the following step:
- make a Timestamp element
- sign the Timestamp element and the SOAP body (producing a Signature
element)
- put the Timestamp element and the Signature element in the Security
header at a time
then, both ordering is possible.
---
Toshi
At Tue, 01 Feb 2005 19:13:34 +0900,
NISHIMURA Toshihiro wrote:
> We have the following prepending rule (RECOMMENDATION):
> | As elements are added to a <wsse:Security> header block, they SHOULD
> | be prepended to the existing elements.
>
> When we want to add a security timestamp and sign it, according to the
> rule above, we should prepend Timestamp element first and then prepend
> Signature element. The structure would be:
> <wsse:Security>
> <ds:Signature> (signing the Timestamp)
> <wsu:Timestamp> (to be signed)
>
> But, current example in chapter 11 of core has following structure:
> <wsse:Security>
> <wsu:Timestamp wsu:Id="T0">
> <ds:Signature>
> <ds:SignedInfo>
> <ds:Reference URI="#T0">
>
>
> Similarly, when we want to sign a token (or token reference) in the
> same Security header, we should prepend the token (reference) first
> and then prepend Signature element.
> <wsse:Security>
> <ds:Signature> (signing the token (reference))
> <some token (reference)> (to be signed)
> Current examples in the following documents/sections do not have the
> elements in this order.
> - core / section 8.3
> - X.509 profile / section 3.3.2
> - REL profile / section 3.4 (the second and the third examples in
> this section
> - SAML profile / section 3.3.3 and section 3.4.2.3
>
> Am I misunderstanding something?
> Or should these examples be corrected in errata?
> ---
> NISHIMURA Toshihiro (FAMILY Given)
> nishimura.toshi@jp.fujitsu.com
> STRATEGY AND TECHNOLOGY DIV., SOFTWARE GROUP, FUJITSU LIMITED
>
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.
>
>
To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
