[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ebxml-msg] Signing SOAP with Attachments Messages Transform Confusion
Theo has called attention to a confusion in the AS4 specification concerning signatures over SWA attachments in sections 5.1.5. Some history on the WSS-SWA versions, ebMS core, and the AS4 profile are useful to recall. WSS-SWA existed in a 1.0 version form until draft 21 on 6 June 2005. The first Oasis approved standard was version 1.1 on 1 Feb 2006. An update version 1.1.1 was approved as an OASIS standard on 18 May 2012. The URIs used for SWA identifiers and transform identifiers changed between 1.0 and 1.1, but appear unchanged in 1.1.1. ebMS 3 section 7.3 ( 1 Oct 2007) references WSS 1.1 as the basis for building signatures. No references to WSS-SWA appear to be included in ebMS 3 core! [The transform URIs occur in the examples in 7.9.2 and elsewhere, but no references to the specification...] In AS4 section 5.1.5 that Theo notices we find "Profiling Rule (a): AS4 MSH implementations are REQUIRED to use the Attachment-Content-Only transform when building application payloads using SOAP with Attachments [SOAPATTACH]. The Attachment-Complete transform is not supported by this profile." In both the 1.1 version of WSS-SWA, in the section 5.2.2 concerning encryption processing, step 3 says: 3. Set the <xenc:EncryptedData> Type attribute value to a URI that specifies adherence to this profile and that specifies what was encrypted (MIME content or entire MIME part including headers). The following URIs MUST be used for this purpose: Content Only: http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Only Content and headers: http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete The above identifiers are not really identifying "transforms" but mainly conformance to the WSS-SWA profile concerning what has been encrypted in the attachment (entity part minus the headers or the whole entity part (headers plus body)) More important, AS4 section 5.1.5 is about signing attachments. But the above URIs are values pertaining to what is encrypted! So 5.1.5 profiling rule (a) should really be in section 5.1.6 of AS4. This needs to be fixed. So what URIs are involved when dealing with signatures of attachments? WSS-SWA does specify URIs that indicate actual transforms for the octets that are to be signed in sections 5.3.1 and 5.3.2. "5.3.1 The Attachment-Content-Signature-Transform indicates that only the content of a MIME part is referenced for signing. This transform MUST be identified using the URI value: http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform "5.3.2 The Attachment-Complete-Signature-Transform indicates that both the content and selected headers of the MIME part are referenced for signing. This transform MUST be identified using the URI value: http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform The transform to be used in AS4 should be (in my opinion) the http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform transform of section 5.3.1. So the previous transform should be mentioned and replace what was said in the profiling rule of section 5.1.5. [This is also the one referenced in AS4 section 5.1.8 when we discuss signing receipts.] If there is consensus, we should also correct the bibliography to mention the WSS-SWA profiles in ebMS core. Thanks to Theo for reminding me about this! At the next meeting, if people agree, we can open an issue containing Theo's questions and my observations in our jira. Dale Moberg ========= Theo's original observation: "There seems to be some confusion in the AS4 profile regarding the transforms used in signing SWA messages Section 5.1.5 of the AS4 profile reads as follows Specification Reference: ebMS v3.0 Core Specification, Section 7.3 Profiling Rule (a): AS4 MSH implementations are REQUIRED to use the Attachment-Content-Only transform when building application payloads using SOAP with Attachments [SOAPATTACH]. The Attachment-Complete transform is not supported by this profile. And section 7.3 of the core spec reads as follows Application payloads that are are built in conformance with the [SOAPATTACH] specification may be signed. To sign a SOAP with Attachment message the Security element must be built in accordance with WSS 1.1. It is REQUIRED that compliant MSH implementations support the Attachment-Content-Only transform. It is RECOMMENDED that compliant MSH implementations support the Attachment-Complete transform. To ensure the integrity of the user-specified payload data and ebMS headers it is RECOMMENDED that the entire eb:Messaging Container Element, and all MIME Body parts of included payloads are included in the signature. Yet section 5.1.8 of the AS4 Profile reads as follows When signed receipts are requested in AS4 that make use of default conventions, the Sending message handler (i.e. the MSH sending messages for which signed receipts are expected) MUST identify message parts (referenced in eb:PartInfo elements in the received User Message) and MUST sign the SOAP body and all attachments using the http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform. and section 5.3.1 of the wss-v1.1 spec refers to the attachment-content-signature and attachment-complete-signature transforms only Further thoughts and clarification on the right canonicalisation transforms (and final URIs for these) would be most welcome
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]