[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Threat assessment,some dissent RE: [ebxml-msg]securityproblemwithebXML MS
That sounds mainly sensible to me. I would prefer to list the methods that can be used to test whether the received headers are legitimate and so counteract the threat. 1. if using CPA, use the information in the Packaging element for the agreed upon ServiceBinding to see that content-types are as they were agreed to. 2. absent CPA, sender can use whatever works as an xmldsig enhancement (repeating some/all of the headers in an object that is signed over, with embellishments as needed to lead to consensus...) 3. suggest possible use of a digital enveloping technique to deter intermediary access. Dale Moberg -----Original Message----- From: Rich Salz [mailto:rsalz@zolera.com] Sent: Tuesday, November 13, 2001 6:49 PM To: Doug Bunting Cc: ebxml-msg@lists.oasis-open.org Subject: Re: Threat assessment,some dissent RE: [ebxml-msg] securityproblemwithebXML MS I am also unsure if the threat is practical. But James and I agree on the following: the spec should say that MIME headers may be modified in transit, for any number of benign or malicious reasons. This may be an issue for some applications that look at the pyaload headers to do routing or other work. If this is an issue, here is how to encode the original value of the headers and incorporate that within the XML DSIG element that protects the ebXML message header. Make sense? /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC