OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-msg message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Threat assessment,some dissent RE: [ebxml-msg]securityproblemwithebXML MS

That sounds mainly sensible to me. I would
prefer to list the methods that can
be used to test whether the received headers
are legitimate and so counteract the threat.

1. if using CPA, use the information
in the Packaging element for the
agreed upon ServiceBinding to see
that content-types are as they were
agreed to. 
2. absent CPA, sender can use
whatever works as an xmldsig enhancement
(repeating some/all of the
headers in an object
that is signed over, with
embellishments as needed to
lead to consensus...)
3. suggest possible use of a
digital enveloping technique to
deter intermediary access.

Dale Moberg

-----Original Message-----
From: Rich Salz [mailto:rsalz@zolera.com]
Sent: Tuesday, November 13, 2001 6:49 PM
To: Doug Bunting
Cc: ebxml-msg@lists.oasis-open.org
Subject: Re: Threat assessment,some dissent RE: [ebxml-msg]
securityproblemwithebXML MS

I am also unsure if the threat is practical.

But James and I agree on the following: the spec should say that MIME
headers may be modified in transit, for any number of benign or
malicious reasons.  This may be an issue for some applications that look
at the pyaload headers to do routing or other work. If this is an issue,
here is how to encode the original value of the headers and incorporate
that within the XML DSIG element that protects the ebXML message header.

Make sense?
Zolera Systems, Securing web services (XML, SOAP, Signatures,

To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC