OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Issue 377 Proposed resolution (SwA profile, ReferenceList usage)

This email contains a proposed resolution to issue 377 on the SwA
profile, regarding ReferenceList usage [1].
 
Proposal

Change Section 4.5 paragraph 5 from:

"When an attachment is encrypted, an <xenc:ReferenceList> element SHOULD
NOT be placed as a direct child of the <wsse:Security> header, since the
<xenc:EncryptedData> element is present in the header, eliminating the
need for this  reference. Although the SOAP Message Security standard
recommends the use of <xenc:ReferenceList>,  this is only necessary when
the <xenc:EncryptedData> element is not present in the <wsse:Security>
header. (As mentioned, when the key is conveyed in an
<xenc:EncryptedKey> element, then this element will have a ReferenceList
Reference to the <xenc:EncryptedData> element)."

To

"When an attachment is encrypted, an <xenc:EncryptedData> element will
be placed in the <wsse:Security> header. An 
<xenc:ReferenceList> element associated with this <xenc:EncryptedData>
element may also be added, as recommended by WSS: SOAP Message
Security."

And change step 8 in  4.5.2 from:

"Prepend the <xenc:EncryptedData> element to the <wsse:Security> SOAP
header block. An application SHOULD NOT add a <xenc:ReferenceList>
element to the SOAP header block (even though recommended by SOAP
Message Security)."

To

"Prepend the required <xenc:EncryptedData> element to the
<wsse:Security> SOAP header block and then prepend the associated
optional <xenc:ReferenceList> element."

Rationale: 

The raised issue correctly points out that there may be valid reasons
for using an <xenc:EncryptedData> element in conjunction with an
encrypted attachment. It is also preferable to be consistent with
expectations established with WSS:SOAP Message Security Recommendations.

This change broadens the ability of implementations to do what is
needed, and thus is compatible with implementations compliant with
previous versions of the SwA profile.


Comment:
Please send any comment or issues on this resolution to the WSS list in
advance of the 3 May meeting.

Thanks

regards, Frederick

Frederick Hirsch
Nokia 

[1]
http://www.oasis-open.org/apps/org/workgroup/wss/download.php/12309/wss-
issues-64.html
 
See 377 and
http://lists.oasis-open.org/archives/wss-comment/200503/msg00002.html

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]