[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] Issue 399: Proposed Security Consideration Text
I would suggest changing the last sentence to the following. Alternatives include (but are not limited to): * Strict policy specification and enforcement regarding what parts of messages are to be signed; * References using Absolute Path XPath transforms in cases where the receiver uses these transforms to validate the location of the signed elements within the XML document; or * A Reference using a URI to the soap:Envelope and XPath transforms to include any significant location-dependent elements and exclude any elements that might legitimately be removed, added, or altered by intermediaries. * Using only References to elements with location-independent semantics. &Thomas. ] -----Original Message----- ] From: Michael McIntosh [mailto:mikemci@us.ibm.com] ] Sent: Thursday, June 02, 2005 11:48 AM ] To: wss@lists.oasis-open.org ] Subject: [wss] Issue 399: Proposed Security Consideration Text ] ] Here is my proposal for the Security Consideration section: ] ] Note that XML Signatures using Shorthand XPointer References protect ] against the removal and modification of XML elements. XML Signatures using ] Shorthand XPointer References do not protect the location of the element ] within the XML Document. In the general case of XML Documents and ] Signatures, this issue may be resolved by signing the entire XML Document ] and/or strict XML Schema specification and enforcement. SOAP encourages a ] relatively lax Schema (especially with respect to Header blocks), and an ] Intermediary processing model where elements may be added and removed ] along the Message Path. Therefore, signing the entire SOAP Envelope and ] strict XML Schema enforcement are not desirable solutions. Alternatives ] include (but are not limited to): ] Strict policy specification and enforcement regarding what parts ] of messages MUST/MAY to be signed, ] References using Absolute Path XPath expressions. ] ] --------------------------------------------------------------------- ] To unsubscribe from this mail list, you must leave the OASIS TC that ] generates this mail. You may a link to this group and all your TCs in ] OASIS ] at: ] https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]