- From: Rich Salz <rsalz@datapower.com>
- Date: Mon, 10 Jan 2005 10:26:21 -0500
- To: "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>
The issue that separates using a wrapper vs an attribute isn't one of security, but software engineering. :) Both XML DSIG and XML Encryption can handle each type: wrapper -- Add an ID on the wrapped element, or put an ID on the wrapper and use an XPath expression to select the child of the wrapper. For encryption, do element-wise encryption of the wrapped element, replacing it with an xenc:EncryptedData element. attribute -- Add an ID on the element, and use an XPath expression to select everything but the ID attribute. (If the subsystem doing WS-Addressing is also integrated with WS-Security, then the contents of the ID attribute can be known, and the XPath expression can be avoided.). For encryption, do content-wise encryption -- this leaves any attributes on the header in the clear; we'd have to document that -- or do element-wise encryption, but re-add any actor/role attribute in cleartext. I can create samples of these if desired. As long as refp's are self-identifying, it is possible for a "generic' or loosely-coupled security facility to process them. Most implementations will be less efficient signing or verifying a wrapper, because of the required XPath, but I don't think it's worth worrying about. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
Received on Monday, 10 January 2005 15:15:49 UTC