Summary of the issue around WSS1.0/1.1 and
(high level) proposal:
Issue:
- Not many WSS1.1 implementations out
there, compared to WSS1.0. Not much hint on upgrades to come (e.g. WSS4J).
- but security of attachments is supported
by WSS1.1, not 1.0.
Proposal:
(1) the body of the specification will describe support for both WSS1.0
and WSS 1.1, along with the basic rule that over req-resp MEPs, the response
must reuse by default the same version as the request.
(2) The gateway conformance profile (GCP1) will require support
for both WSS1.0, and WSS1.1. In particular, WSS1.1 is required when signing
attacht. Double support is generally not an issue: the advanced version also
supports a previous version.
(3) In the run-time agreement - meaning at MSH level in the
processing mode - the WSS version to be used for a business transaction
between 2 partners is specified in the associated P-mode. This means that implementations
that do not fully conform to GCP1 and only support WSS1.0, can still control
their interoperability space by the means of the P-mode - e.g. only
accepting - or requiring - agreements (and P-modes) with WSS1.0.
So which WSS version to use will be a
parameter of the agreement between 2 parties. All MSHs will support WSS1.0 when
sending/receiving, so this is the baseline for interoperability. Those
transactions that need attacht security will specify this as part of the
agreement / P-mode. It automatically means using WSS1.1. Over time, more MSHs
will "fully conform" to GCP1, and support for WSS1.0 will be
deprecated, without a need to upgrade the spec or the conf profile.
Jacques