OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: New Issue: Signature Confirmation



During security analysis of SOAP message security a general issue was
identified where it would be adventageous in response messages to be
able to indicate the signature of the received request message.  This
general area has been previously discussed in the TC, and with the
additional feedback it seemed worthwhile to suggest a possible mechanism
for addressing it for the TC to consider.

In a nutshell, SOAP Message security defines a general mechanism based
on XML Signature for signing elements of the SOAP envelope. However, in
certain message exchange patterns, such as a request followed by a
response message, it is necessary (or desirable) for the initiator to
confirm that the message received was generated in response to a message
it initiated. This serves to establish agreement between the initiator
and the responder as to the content of the request message that prompted
the associated response message.    

The attached proposal pulled together by some TC members defines a very
straightforward mechanism for communicating this information which
integrates with SOAP message security.  This entail s  adding a new
confirmation element at the SOAP security header level which contained
the signature of the request message and would be signed in confirmation
responses from the receiving node.   

We ask that the TC consider addressing this scenario and consider using
this input material. 
 <<SignatureConfirmation.doc>> 

Vijay

SignatureConfirmation.doc



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]