P. 1
ws-securitypolicy-1.3-spec-os

ws-securitypolicy-1.3-spec-os

|Views: 136|Likes:
Published by Uday Kumar

More info:

Published by: Uday Kumar on Jul 29, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/28/2011

pdf

text

original

3433

Messages send from recipient to initiator have the following layout for the security header:

3434

1. A wsu:Timestamp element if [Timestamp] is 'true'.

3435

2. If the sp:IncludeToken attribute on the [Encryption Token] is .../IncludeToken/Always, then the

3436

[Encryption Token].

3437

3. If [Derived Keys] is 'true', then a Derived Key Token, based on the [Encryption Token]. This

3438

Derived Key Token is used for encryption.

3439

4. A reference list including references to encrypted items. If [Signature Protection] is 'true', then the

3440

reference list MUST include a reference to the message signature from 6 below, and the

3441

wsse11:SignatureConfirmation elements from 5 below if any. If [Protection Order] is

3442

'SignBeforeEncrypting', then the reference list MUST include a reference to all the message parts

3443

specified in the EncryptedParts assertions in the policy. If [Derived Keys] is 'true', then the key in

3444

the token from 2 above MUST be used, otherwise the key in the [Encryption Token] from 2

3445

above.

3446

5. If [Signature Confirmation] is 'true' then a wsse11:SignatureConfirmation element for each

3447

signature in the corresponding message sent from initiator to recipient. If there are no signatures

3448

in the corresponding message from the initiator to the recipient, then a

3449

wsse11:SignatureConfirmation element with no Value attribute.

3450

6. If the [Signature Token] is not the same as the [Encryption Token], and the sp:IncludeToken

3451

attribute on the [Signature Token] is .../IncludeToken/Always, then the [Signature Token].

3452

ws-securitypolicy-1.3-spec-os

2 February 2009

Copyright © OASIS® 1993–2009. All Rights Reserved.

Page 99 of 114

7. If [Derived Keys] is 'true', then a Derived Key Token, based on the [Signature Token]. This

3453

Derived Key Token is used for signature.

3454

8. A signature over the wsu:Timestamp from 1 above, any wsse11:SignatureConfirmation

3455

elements from 5 above, and all the message parts specified in SignedParts assertions in the

3456

policy. If [Token Protection] is 'true', the signature MUST also cover the [Signature Token]

3457

regardless of whether it is included in the message. If [Derived Keys] is 'true', the key in the token

3458

from 6 above MUST be used, otherwise the key in the [Signature Token].

3459

9. If [Protection Order] is 'EncryptBeforeSigning' then a reference list referencing all the message

3460

parts specified in EncryptedParts assertions in the policy. If [Derived Keys] is 'true', then the key

3461

in the Derived Key Token from 3 above MUST be used, otherwise the key in the [Encryption

3462

Token].

3463

The following diagram illustrates the security header layout for the recipient to initiator message:

3464

Encrypt Then Sign

Sign Then Encrypt

Body

Header1

Header2

Security

Sig1

TS

SC1

Ref1

SC2

Body

Header1

Header2

Security

TS

Ref1

Sig1

SC1

Ref1

SC2

3465

The arrows on the right indicate parts that were signed as part of the message signature labeled Sig1.

3466

The arrows on the left from boxes labeled Ref1 indicate references to parts encrypted using a key based

3467

on the [SharedSecret Token] (not shown in these diagrams as it is referenced as an external token). Two

3468

wsse11:SignatureConfirmation elements labeled SC1 and SC2 corresponding to the two signatures

3469

in the initial message illustrated previously is included. In general, the ordering of the items in the security

3470

header follows the most optimal layout for a receiver to process its contents. The rules used to determine

3471

this ordering are described in Appendix C.

3472

Example:

3473

ws-securitypolicy-1.3-spec-os

2 February 2009

Copyright © OASIS® 1993–2009. All Rights Reserved.

Page 100 of 114

Recipient to initiator message using EncryptBeforeSigning:

3474

3475

3476

3477

...

3478

3479

3480

3485

...

3486

3487

...

3488

3489

3490

...

3491

...

3492

3493

3494

3495

3496

3497

...

3498

3499

3500

3505

...

3506

3507

3508

3513

...

3514

3515

ws-securitypolicy-1.3-spec-os

2 February 2009

Copyright © OASIS® 1993–2009. All Rights Reserved.

Page 101 of 114

3516

3517

3537

3538

...

3539

3540

3541

3542

3543

3544

3545

3546

3547

3548

...

3549

3550

3551

3552

3553

3554

3555

...

3556

3557

3558

3559

3560

3561

3562

3563

3564

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->