[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: New Issue: Signature Confirmation
During security analysis of SOAP message security a general issue was identified where it would be adventageous in response messages to be able to indicate the signature of the received request message. This general area has been previously discussed in the TC, and with the additional feedback it seemed worthwhile to suggest a possible mechanism for addressing it for the TC to consider. In a nutshell, SOAP Message security defines a general mechanism based on XML Signature for signing elements of the SOAP envelope. However, in certain message exchange patterns, such as a request followed by a response message, it is necessary (or desirable) for the initiator to confirm that the message received was generated in response to a message it initiated. This serves to establish agreement between the initiator and the responder as to the content of the request message that prompted the associated response message. The attached proposal pulled together by some TC members defines a very straightforward mechanism for communicating this information which integrates with SOAP message security. This entail s adding a new confirmation element at the SOAP security header level which contained the signature of the request message and would be signed in confirmation responses from the receiving node. We ask that the TC consider addressing this scenario and consider using this input material. <<SignatureConfirmation.doc>> Vijay
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]