[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [ebxml-msg] security problem with ebXML MS
Thanks Rich, that was actually our first thought when we started talking about this. We decided the Manifest was a better place since the link to the particular bodypart already existed in the form of a cid. Now we are back to Suresh's proposal. I like your rules. The only thing I would add is to exclude CTE. Do we need to worry about line terminators? Regards, David Fischer Drummond Group. -----Original Message----- From: Rich Salz [mailto:rsalz@zolera.com] Sent: Wednesday, November 07, 2001 4:34 PM To: David Fischer Cc: Christopher Ferris; ebxml-msg@lists.oasis-open.org Subject: Re: [ebxml-msg] security problem with ebXML MS > What if we add a second Reference in the ds:Signature for 'each' payload so that > there would be two references to the same cid, for each payload. I looked in > the dSig spec and there doesn't seem to be any prohibition on this. Yes, that's totally legal. I have a different idea. Take the MIME headers that you want to protect, convert them into UTF-8, turn all sequences of multi-line headers into a single line (i.e., turn "[\r\n]+[ \t]+" into " "). Base64 encode that. Define an ebXML element to hold that text string. It should be a string of type "xsi:base64Binary" and it should have an attribute of type "xsi:anyURI" that contains the CID pointing to the MIME multipart. We now have a new XML element that contains "a" canonical form of the MIME headers, and a link to the "original" headers. XMLDSIG includes an "Object" element that can contain anything. All an ebXML DSIG to contain an Object whose content is the ebXML element described above, and a Reference to that object. Parties concerned about MITM MIME tampering can create the object, parties not concerned will just see a little bit of XML content to hash. Hope this helps. Let me know if more explanation -- or a concete example -- is needed. /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC