[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] examples of signing element(s) in security header
Okay, I think there are at least three separate issues here: 1. What was originally intended. 2. What the example should show. 3. Any additional constraints we want to add. Regarding 1, as mentioned on the call, I don't think there was any intent to specify constraints on where the signed thing has to be. While I think the proposed revised example is fine, I also think the example that is in the spec now is fine too. I suggest that we clarify the following statement from the spec | As elements are added to a <wsse:Security> header block, they SHOULD | be prepended to the existing elements. so that it will read in the errata as | As ds:Signature, enc:EncryptedKey, and enc:ReferenceList elements | are added to a <wsse:Security> header block, they SHOULD be added | in such a way that they appear before any existing ds:Signature, | enc:EncryptedKey, or enc:ReferenceList elements already in the | wsse:Security header. more accurately reflecting the original intent. Regarding 2, I am fine with either the example that is there now or the proposed revised example or both. Regarding 3, if we want to further require that signed things appear after/before the signature, then we should add some text like | Anything referenced by a ds:Signature/ds:SignedInfo/ds:Reference | that appears in the same wsse:Security header SHOULD appear | after/before that ds:Signature in that wsse:Security header. but I am not sure if or how far we want to go with this. &Thomas. ] -----Original Message----- ] From: NISHIMURA Toshihiro [mailto:nishimura.toshi@jp.fujitsu.com] ] Sent: Tuesday, February 08, 2005 5:34 AM ] To: wss@lists.oasis-open.org ] Subject: Re: [wss] examples of signing element(s) in security header ] ] In any case, it is better to provide straightforward (easy to ] understand) example for the readers. ] ] So, I'd like to propose the following processing order for the example ] of chapter 11. ] 1. put a timestamp ] (prepend a <wsu:Timestamp> element) ] 2. sign the timestamp and the body ] (prepend a <ds:Signature> element and then a ] <wsse:BinarySecurityToken> element for the certificate) ] 3. encrypt the body ] (prepend a <xenc:EncryptedKey> element) ] ] The resulting element order in the Security header block will be: ] <wsse:Security> ] <xenc:EncryptedKey>... (the key used for encryption) ] <wsse:BinarySecurityToken>... (the certificate to verify the ] signature) ] <ds:Signature>... (the signature over the timestamp and ] the body) ] <wsu:Timestamp>... (the timestamp being signed) ] </wsse:Security> ] ] Current order is: ] <wsse:Security> ] <wsu:Timestamp>... (the timestamp being signed) ] <wsse:BinarySecurityToken>... (the certificate to verify the ] signature) ] <xenc:EncryptedKey>... (the key used for encryption) ] <ds:Signature>... (the signature over the timestamp and ] the body) ] </wsse:Security> ] --- ] Toshi ] ] From: Anthony Nadalin <drsecure@us.ibm.com> ] > I'm not sure that works, as you may have namespace issues since the ] > namespaces may be different from when you sign the elements and then ] > place them in the security header, you could have different ] > namespaces. ] ] To unsubscribe from this mailing list (and be removed from the roster of ] the OASIS TC), go to http://www.oasis- ] open.org/apps/org/workgroup/wss/members/leave_workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]