This suggests that maybe we *do* need an enclosing element
on the Signature ala SOAP-SEC [1] and now WS-Security [2]
that would allow for an actor attribute and possibly a mustUnderstand.
It also might allow for us to explicitly identify which signature
element signs the message, distinguishing it from others that
may be applied for other purposes such as signing of SAML
assertions, etc.
Chris
PEDRETTI,BRUCE (HP-NewJersey,ex2) wrote:
> It may not be necessary to require IMs to Ack separately. The transform we
> currently allow excludes the nodes the IMs may modify in transit. These
> excluded nodes could have their own separate signature that signs only those
> things the IMs need modify (Via, Acknowledgement). (The signature
> information must be enveloped by they element it signs.) This way, the
> intermediate signature can be "peeled away" with out affecting any
> end-to-end signed information. Further, IMs may have the confidence they
> require in the information they are acting upon. Allowing this separate
> signature should not effect anything else.
>
> ============================================
> Bruce Pedretti Hewlett-Packard Company
> Software Developer 6000 Irwin Road
> (856) 638-6060 Mt. Laurel, NJ 08054
> http://www.hp.com/
> ============================================
>
>