W3C home > Mailing lists > Public > public-xmlsec@w3.org > September 2008

Web Services Security Assumptions and Requirements

From: Hal Lockhart <hal.lockhart@oracle.com>
Date: Mon, 15 Sep 2008 16:58:46 -0400
To: "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Message-ID: <20080915165846703.00000005552@hlockhar02>

Web Services Security

Assumptions

1. Message content will be provided and processed by multiple software components acting autonomously. The XML will make use of multiple namespaces, potentially with duplicate element names.

2. Messages may pass through multiple intermediary nodes which may add, subtract or alter content in either the SOAP header or body.

Requirements

1. Generally the ability to provide ephemeral authentication, integrity protection and confidentiality of message content including attachments, using a variety of technologies. In some cases, messages with signatures may be stored for purposes of non-repudiation.

2. Any or all of messages may be signed and/or encrypted zero or more times in any order. Signatures and encryptions may overlap. A receiver must be able to properly verify signatures and decrypt data in the proper order (assuming access to the necessary secrets or trust points) based on nothing but the message.

3. It must be possible to determine whether the correct portions of the message have been signed and encrypted with the correct keys according to policy.

4. To the extent possible allowed by the ordering of data and cryptographic operations it should be possible for a sender or a receiver to perform processing in a single pass over the message.

Hal
Received on Monday, 15 September 2008 20:59:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:54 GMT