OASIS ebXML Messaging Services TC

Re: [ebxml-msg] Groups - Security Concern - Bullet Items

  • 1.  Re: [ebxml-msg] Groups - Security Concern - Bullet Items

    Posted 03-02-2006 23:17
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    ebxml-msg message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: Re: [ebxml-msg] Groups - Security Concern - Bullet Items


    Here is the list of security sections bullet items I promised to put 
    together. I reserve the right to add to the list after thinking about 
    this subject some more.
    
    - Message signature and encryption is specified in WSS1.0 and WSS1.1.
    
    - The structure and content of the Security element MUST conform to the 
    Web Services Security 1.0 or Web Services Security 1.1 - Depending on 
    conformance profile being utilized.
    
    - To promote interoperability the security element MUST conform to the 
    WS-I Basic Security Profile Version 1.0, and the WS-I Attachments 
    Profile Version 1.0.
    
    - It is not clear to me if we are requiring Security support in all 
    compliant MSHs. If required the spec should read - Support for the X.509 
    Certificate Token Profile and Username TokenName Profile are REQUIRED. 
    If Security support is not required, then RECOMMENDED should be stated.
    
    - It is RECOMMENDED that the eb:Messaging Container Element, the SOAP 
    Body, and all attachments be included in the signature.
    
    - As outlined in WS-I Basic Security Profile, support for Detached 
    Signatures is REQUIRED. An MSH implementation MAY support Enveloped 
    Signatures as defined in the XML Signature Specification. Enveloped 
    Signatures add an additional level of security in preventing the 
    addition of XML elements to the SOAP Header. Enveloped Signatures may 
    limit the ability of intermediaries to process messages.
    
    - It is REQUIRED that compliant MSH implementations support the 
    Attachment-Content-Only transform. It is RECOMMENDED that compliant MSH 
    implementations support the Attachment-Complete transform.
    
    -An MSH implementation may encrypt the eb:Messaging Container Element. 
    The eb:PartyInfo section may be used to aid in message routing before 
    decryption has occurred. It is RECOMMENDED that the eb:PartyInfo 
    elements not be encrypted.
    
    - When both signature and encryption are required of the MSH, sign first 
    and then encrypt.
    
    Ric
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]