How to use SOAP with Licenses

Policy wonks, (Rigo and Jan please read until the end...)

Does anyone of you have knowledge of how to structure a SOAP request to a
protected service, where the request is containing the actual service
request plus license information?

What I am after is the following: A SOAP message does contain a <Header> and
a <Body> element. For example in a service chain, the client initiates a
request to the first service of the chain, providing the service request and
a license necessary for the ultimate receiving service (might be different
from the service that the client contacts) to determine if the request can
be processed. Basically two options exist for the client of where to put the
different types of information:
1) The client can put the actual service request inside the <Body> tag and
put the license inside the <Header> tag. 
2) The client can put just processing information (URL of the ultimate
receiver) into the <Header> element to allow proper routing and processing
along the chain and put an XML document into the <Body> tag, where the
document contains the license and the service request. 

>From the first approach, I understand that there might be a potential
security hole as the <Header> element and its content is only loosely
coupled with the <Body> and that might be used by an adversary in the
processing chain to replace the <Body> and/or the <Header>. So for this
approach, it would be essential to strongly bind together the license
information from the <Header> and the service request inside the <Body> to
have a legal binding of the license and the request.

>From the second approach, it is the responsibility of the client to create
the integral XML document that contains the license information and the
service request; For example applying XML Digital Signature to the elements.
In case that the license information shall only be visible for the ultimate
receiver, it can be encrypted it using XML Encryption. In order to have the
receiving services process their parts of the message and enable the
ultimate receiver to validate the message, the client would put the used
algorithms and keys into the <Header> as pointed out in WS-Security. So
there is no need to ensure an integral relation between the <Header> and the
<Body> as it would be for the first approach.


Rigo and Jan,
What is the legal perspective here? Would it be mandatory to have the
license and the request to be one integral unit (e.g. a digitally signed
document) and would that imply the use of approach 1 or 2?

Any thoughts, comments or perhaps project experience are welcomed.

Thanks for taking a look
Andreas

/****************************************** 
Dr. Andreas Matheus
Universität der Bundeswehr München
Fakultät für Informatik
Institut für Informationstechnische Systeme

Werner-Heisenberg-Weg 39 
D-85579 Neubiberg
-------------------------------------------
Tel: +49 89 6004 2745
Fax: +49 89 6004 3898
Mail: andreas.matheus@unibw.de
******************************************/

Received on Tuesday, 11 November 2008 15:25:30 UTC