OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-msg message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [ebxml-msg] security problem with ebXML MS

There is a security problem with ebXML MS that is not addressed by the
assertion to just use XML Digital Signature and XML Encryption (or

The problem is the MIME headers that are used to label the payloads are
not protected.  This is an issue because implementations will dispatch
payloads according to values found in these headers.  Without protection
a man-in-the-middle could change these headers resulting in unintended
actions being taken by implementations.

It is not the responsibility of the individual XML security
specifications to address this issue.  Those specifications correctly
accept arbitrary data streams with control information and generate
appropriate output.

This issue is about what is protected and how implementations prepare
the data stream for the application and validation/removal of the
security services.

Specifically, the ebXML Message Specification needs to specify how the
MIME headers are to be canonicalized and included in the data stream for
both the application of a signature and the application of encryption.
In addition, the specification needs to specify how the headers are
recovered for use by the MSH after the encryption is removed and the
signature is validated.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC