[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Question about SignatureConfirmation
Team,
Here's a question from a colleague (Werner Dittmann <Werner.Dittmann@t-online.de>) about SignatureConfirmation…can someone please help?
In the SOAP Message security document, dated Feb, 14th the relevant part for the SignatureConfirmation reads in section "response generation rules":
<quote>
every response message generated, the responder MUST include a <wsse11:SignatureConfirmation> element for every <ds:Signature> element it processed from the original request message. The Value attribute MUST be set to the exact value of the <ds:SignatureValue> element of the corresponding <ds:Signature> element.
</quote>
If the request contains just _one_ ds:Signature then it is easy, but how is the correlation done if the request contains more than one ds:Signature? The responder can insert the the SignatureConfirmation elements for each ds:Signature it sees. But how does the the initiator (receiver of the response) now correlates both? I don't see any Id mechanism in the spec that supports such a correlation on the initiator side. Or is the correlation done implicitly via the order of ds:Signature in the request, i.e. the responder must insert SignatureConfirmation in the same order as it processed the ds:Signature? IMHO this would be complicated to implement and is inherently unsafe. Another way could be that the initiator loops over all SignatureConfirmation and checks if it generated a corresponding ds:Signature - well, IMHO not a good way either.
Thanks,
dims
Davanum Srinivas
Computer Associates
Senior Architect, Web Services Group
Tel: +1 508 628 8251
davanum.srinivas@ca.com
http://ws.apache.org/~dims/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]