Uploaded image for project: 'OASIS ebXML Messaging Services TC'
  1. OASIS ebXML Messaging Services TC
  2. EBXMLMSG-25

5.1.5 Signing SOAP with Attachments Messages Transform Confusion

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Applied
    • Priority: Major
    • Resolution: Fixed
    • Component/s: AS4 Profile
    • Labels:
      None
    • Proposal:
      Hide

      The transform to be used in profiling rule (a) of section 5.1.5 of the AS4 Profile should be http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform as per the
      transform in section 5.3.1 of the wss-v1.1 (and wss-v1.1.1) spec.

      Show
      The transform to be used in profiling rule (a) of section 5.1.5 of the AS4 Profile should be http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform as per the transform in section 5.3.1 of the wss-v1.1 (and wss-v1.1.1) spec.

      Description

      WSS-SWA existed in a 1.0 version form until draft 21 on 6 June 2005. The first Oasis approved standard was version 1.1 on 1 Feb 2006. An update version 1.1.1 was approved as an OASIS standard on 18 May 2012. The URIs used for SWA identifiers and transform identifiers changed between 1.0 and 1.1, but appear unchanged in 1.1.1.

      ebMS 3 section 7.3 ( 1 Oct 2007) references WSS 1.1 as the basis for building signatures. No references to WSS-SWA appear to be included in ebMS 3 core! [The transform URIs occur in the examples in 7.9.2 and elsewhere, but no references to the specification...]

      In AS4 section 5.1.5 we find

      "Profiling Rule (a): AS4 MSH implementations are REQUIRED to use the Attachment-Content-Only transform when building application payloads using SOAP with Attachments [SOAPATTACH]. The Attachment-Complete transform is not supported by this profile."

      In both the 1.1 version of WSS-SWA, in the section 5.2.2 concerning encryption processing, step 3 says:

      3. Set the <xenc:EncryptedData> Type attribute value to a URI that specifies adherence to this profile and that specifies what was encrypted (MIME content or entire MIME part including headers). The following URIs MUST be used for this purpose:

      Content Only:
      http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Only

      Content and headers:
      http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete

      The above identifiers are not really identifying "transforms" but mainly conformance to the WSS-SWA profile concerning what has been encrypted in the attachment (entity part minus the headers or the whole entity part (headers plus body))

      So what URIs are involved when dealing with signatures of attachments? WSS-SWA does specify URIs that indicate actual transforms for the octets that are to be signed in sections 5.3.1 and 5.3.2.

      "5.3.1 The Attachment-Content-Signature-Transform indicates that only the content of a MIME part is referenced for signing. This transform MUST be identified using the URI value:

      http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform

      "5.3.2 The Attachment-Complete-Signature-Transform indicates that both the content and selected headers of the MIME part are referenced for signing. This transform MUST be identified using the URI value:

      http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              theo Theo Kramer (Inactive)
            • Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: