-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Component/s: Core Spec
-
Labels:None
-
Proposal:
According to section 5.2.2.12, it is possible to reference payload parts outside the ebMS envelope. E.g. a static file on Web server or some data in a Cloud storage service. This is a useful feature as it allows a sender to send a small message that references possibly huge payloads. The receiver could download those payloads at a time that is convenient for them. We have had requests for this feature in the past, and it is functionality of some proprietary protocols. But the feature is underspecified in the core spec.
In D.3.6, it is possible to express that parts of the SOAP envelope or attachments are to be signed, but it is not possible to specify that parts outside the ebMS envelope are to be signed using PMode[1].Security.Sign. It is useful to be able to sign those payloads, so non-repudiation covers those payloads as well. Similarly, a signed receipt could then acknowledge that the receiver has downloaded the referenced parts and validated that the digest of those parts is valid. (Since the payloads may be large, such receipts should be sent asynchronously, giving the receiver time to download the parts).