Issue 364/370 resolution proposal (SwA profile XML attachments)

[frederick.hirsch@nokia.com]

Issue 364/370 resolution proposal (SwA profile XML attachments)

So far I haven't seen much discussion on this issue and have seen arguments either way. In an attempt to move forward, I'll try to re-frame the issue and see if a corresponding  proposal for resolution is acceptable. If not, I'd appreciate advice on an alternative.

I think we can summarize the issue so far as  "should the SwA profile require XML attachments be conveyed in XML canonicalized form".  Arguments against this were in draft 18.

Maybe we should reconsider the issue as, "must ds:Reference elements to attachments require use of an XML canonicalization transform as part of the SwA processing rules"

This would address the issue of proper XML canonicalization for signatures over XML, a gap in the current SwA profile, yet not imply that such canonicalization need be performed for attachments that are encrypted and not signed.

However, this would introduce a difficulty with the Attachment-Complete transform, since it outputs MIME headers + XML octet stream.

This could be resolved by making a change to how Attachment-Complete is handled, by always using one ds:Reference for attachment content (the XML or whatever) and another ds:Reference to the MIME header portion. Thus the reference to the content would have an Attachment-Content-Only transform, and for XML also a XML Signature canonicalization transform (exclusive?).

We would need to define a new transform (Attachment-MIME-headers-only) and adjust the processing rules to obtain a ds:Signature over the selected headers as well.

What do people think? 

First, is the issue summarized properly?
Second, if so, does the proposal make sense?

(Third, did interop deal with XML attachments?)

regards, Frederick

Frederick Hirsch
Nokia