OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FW: [wss-comment] xenc:ReferenceList SwA comment

Additional SwA comments from wss-comment list.

regards, Frederick

Frederick Hirsch
Nokia 

-----Original Message-----
From: ext Manveen Kaur [mailto:Manveen.Kaur@Sun.COM] 
Sent: Wednesday, March 23, 2005 2:07 AM
To: wss-comment@lists.oasis-open.org
Subject: [wss-comment] xenc:ReferenceList SwA comment

Hi,

(1)
The WSS:SOAP Message Security Spec [1], section 9.1 (line 1141-1143)
says that-

"All the <xenc:EncryptedData> elements created by this encryption step
SHOULD be listed in <xenc:DataReference> elements inside one or more
<xenc:ReferenceList> element."

So this means that DataReference elements should be added to
ReferenceList in case of element or element content encryption.  In
cases where a user wants to encrypt a username token then EncryptedData
would be placed in the SecurityHeader Block and a DataReference added to
the ReferenceList.

The latest SwA draft 17 [2] , line 504-508 says-

"When an attachment is encrypted, an <xenc:ReferenceList> element SHOULD
NOT be placed as a direct child of the <wsse:Security> header, since the
<xenc:EncryptedData> element is present in the header, eliminating the
need for this reference."

(2)
In the case of shared symmetric keys,
The SOAP Message Security spec [1] (line 1150-1152) says that -

"A typical situation where the <xenc:ReferenceList> sub-element is
useful is that the producer and the recipient use a shared secret key."

The standalone ReferenceList is useful when using a Shared Symmetric Key
and the recommendation is that DataReferences be added to such a
ReferenceList  even though the correspoding EncryptedData elements are
in the SecurityHeader.

Proposal -
The semantics for generating ReferenceList does not seem uniform. The
proposal is to allow addition of  DataReferences to ReferenceList in
case of attachments.

[1]
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-sec
urity-1.0.pdf
[2]
http://www.oasis-open.org/apps/org/workgroup/wss/download.php/11918/wss-
swa-profile-1.0-draft-17.pdf

Thanks,
Manveen

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]