OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [wss] Question about SignatureConfirmation


When the SOAP request contains multiple signatures, the requester may find all of the signature confirmation elements contained in the response, and check the values of the value fields of the signature confirmation elements against the values of the signatures in the original SOAP request.


Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Inactive hide details for "Srinivas, Davanum M" <Davanum.Srinivas@ca.com>"Srinivas, Davanum M" <Davanum.Srinivas@ca.com>


          "Srinivas, Davanum M" <Davanum.Srinivas@ca.com>

          05/06/2005 07:22 AM


To

<wss@lists.oasis-open.org>

cc

"Werner Dittmann" <Werner.Dittmann@t-online.de>

Subject

[wss] Question about SignatureConfirmation

Team,

Here's a question from a colleague (Werner Dittmann <Werner.Dittmann@t-online.de>) about SignatureConfirmation…can someone please help?

In the SOAP Message security document, dated Feb, 14th the relevant part for the SignatureConfirmation reads in section "response generation rules":

<quote>
every response message generated, the responder MUST include a <wsse11:SignatureConfirmation> element for every <ds:Signature> element it processed from the original request message. The Value attribute MUST be set to the exact value of the <ds:SignatureValue> element of the corresponding <ds:Signature> element.

</quote>

If the request contains just _one_ ds:Signature then it is easy, but how is the correlation done if the request contains more than one ds:Signature? The responder can insert the the SignatureConfirmation elements for each ds:Signature it sees. But how does the the initiator (receiver of the response) now correlates both? I don't see any Id mechanism in the spec that supports such a correlation on the initiator side. Or is the correlation done implicitly via the order of ds:Signature in the request, i.e. the responder must insert SignatureConfirmation in the same order as it processed the ds:Signature? IMHO this would be complicated to implement and is inherently unsafe. Another way could be that the initiator loops over all SignatureConfirmation and checks if it generated a corresponding ds:Signature - well, IMHO not a good way either.

Thanks,
dims

Davanum Srinivas
Computer Associates

Senior Architect, Web Services Group

Tel: +1 508 628 8251

davanum.srinivas@ca.com

http://ws.apache.org/~dims/

GIF image



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]