[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Threat assessment,some dissent RE: [ebxml-msg] securityproblemwith ebXML MS
After reading all of the messages on this topic, I'm unsure what you two have agreed. Are you saying it's necessary to mention a possible threat with changed MIME headers (because they aren't captured by the digest over any payload) or that we must solve the problem? As described below, I'm probably missing a few things. I remain unsure about the level of this threat. You're talking about changing the MIME headers for the payload containers, all of which are ancillary to the primary part -- the SOAP message containing the ebXML extensions we're busy defining. After that primary part has been handled by a SOAP processor (utilising relevant ebXML MSH handlers), does SOAP require or even support dispatching the remaining parts using a "generic" MIME processor? Is their any MIME header (assuming the CTE is handled prior to payload digest calculation) other than Content-type that a MIME dispatcher would use? That last point goes towards the generic nature of both the original proposal and all amendments I've seen discussed. By the way, even Content-type can legitimately change in transit. An HTTP proxy that chooses to forward information in a different character set should update or add the charset parameter. I also think it's allowed to take a multipart message apart and rebuild it using a different boundary. Probably fringe use cases but possible downfalls to a solution in this area. If we say this is a real problem and it must be solved, do SOAP processors even make the MIME headers available to handlers (such as a signature verifier) in a consistent fashion? For example, do current implementations of SOAP with Attachments all even pass that information to the SOAP handlers? Do they pass all headers or only provide things the handler requests "on demand" (resulting in ordering differences)? help, doug ----- Original Message ----- From: "Rich Salz" <rsalz@zolera.com> To: "James M Galvin" <galvin@drummondgroup.com> Cc: <ebxml-msg@lists.oasis-open.org> Sent: Tuesday, November 13, 2001 12:08 PM Subject: Re: Threat assessment,some dissent RE: [ebxml-msg] security problemwith ebXML MS Great, closure, we completely agree now. Thanks for finding this. /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl> _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC