BizTalk Utilities CV ,   Jobs ,   Code library
 
Go to the front page to continue learning about XML or select below:

Contents

ReBlogger Contents

Previous posts in WS, web services

 
 
CONTENTS
Page 19154 of 20191

Enveloped Signatures - XMLDSIG and WS-Security

Blogger : Softwaremaker
All posts : All posts by Softwaremaker
Category : WS, web services
Blogged date : 2004 Dec 11

To slightly expand on my post and Hervey`s a little bit further, there was mention on the use of Enveloped Signatures in the SOAP Headers. Enveloped Signature (as defined by _XML-DSIG_) is a signature over the XML content that contains the signature as an element. The content provides the root XML document element. Obviously, enveloped signatures must take care not to include their own value in the calculation of the SignatureValue. In other words, Enveloped Signature would sign the contents of the SOAP headers WITHOUT the signature. This is the only way a Security header can be signed without creating a circular reference dependency.

To do the above, you are enforcing the prevention of intermediaries from modifying the SOAP Headers.

However, as taken from the _WS-Security Specs_

Because of the mutability of some SOAP headers, producers SHOULD NOT use the Enveloped Signature Transform defined in XML Signature. Instead, messages SHOULD explicitly include the elements to be signed. Similarly, producers SHOULD NOT use the Enveloping Signature defined in XML Signature [XMLSIG]

WS-Security doesnt *believe* in the Enveloped Signatures because it stands on the belief that SOAP Headers are mutable. Since SOAP Headers can change and the likelihood is there that a SOAP intermediary can change the headers, an Enveloped Signature would not be as extensible and work as well.

I am a strong believer of that. If a normal signature is used instead of an enveloped one, then an intermediary can safely add more tokens and more signatures to a Security header targeted at another node on the message path...and that is why there is WS-Security. Security cannot just be based on End-to-End scenarios or else SSL / HTTPS will suffice.

I also further believe that an intermediary should be able to extend Security headers which are meant for other target nodes. Since a SOAP node can only process a single Security Header (because of re-ordering constraints of SOAP Headers), this option may not be as far-fetched or ridiculous as it may sound.

Of course, anyone can still choose to implement Enveloped Signatures over their SOAP Headers if they are just implementing End-to-End scenarios and enforcing non-tampering measures over any desired or un-desired intermediaries. However, extensibility may not be an option here should intermediaries be required to offload certain processing functionality off the ultimate receiver or even add more tokens and signatures along the way.

Read comments or post a reply to : Enveloped Signatures - XMLDSIG and WS-Security
CONTENTS
Page 19154 of 20191
Newest posts
WCF LOB | BizTalk 2006 R2 | WSE | WSCF/WCF | BizTalk Rule Engine | Biztalk Adapters | Orchestration / Workflow | BizTalk 2006 | BizTalk 2004 | BizTalk 2002 | BizTalk Server | SOA | SQLXML | XmlSerializer | WS, web services | .NET XML, System.XML | XSL/T | XML |
 

    Email TopXML