OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [wss] Issue 399: Proposed Security Consideration Text


I would suggest changing the last sentence to the following.

Alternatives include (but are not limited to):
* Strict policy specification and enforcement regarding what parts
of messages are to be signed;
* References using Absolute Path XPath transforms in cases where the
receiver uses these transforms to validate the location of the signed
elements within the XML document; or
* A Reference using a URI to the soap:Envelope and XPath transforms to
include any significant location-dependent elements and exclude any
elements that might legitimately be removed, added, or altered by
intermediaries.
* Using only References to elements with location-independent semantics.

&Thomas.

] -----Original Message-----
] From: Michael McIntosh [mailto:mikemci@us.ibm.com]
] Sent: Thursday, June 02, 2005 11:48 AM
] To: wss@lists.oasis-open.org
] Subject: [wss] Issue 399: Proposed Security Consideration Text
] 
] Here is my proposal for the Security Consideration section:
] 
] Note that XML Signatures using Shorthand XPointer References protect
] against the removal and modification of XML elements. XML Signatures
using
] Shorthand XPointer References do not protect the location of the
element
] within the XML Document. In the general case of XML Documents and
] Signatures, this issue may be resolved by signing the entire XML
Document
] and/or strict XML Schema specification and enforcement. SOAP
encourages a
] relatively lax Schema (especially with respect to Header blocks), and
an
] Intermediary processing model where elements may be added and removed
] along the Message Path. Therefore, signing the entire SOAP Envelope
and
] strict XML Schema enforcement are not desirable solutions.
Alternatives
] include (but are not limited to):
]         Strict policy specification and enforcement regarding what
parts
] of messages MUST/MAY to be signed,
]         References using Absolute Path XPath expressions.
] 
] ---------------------------------------------------------------------
] To unsubscribe from this mail list, you must leave the OASIS TC that
] generates this mail.  You may a link to this group and all your TCs in
] OASIS
] at:
] https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]