OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [wss] Recently discover WSS security threat




Michael McIntosh wrote on 5/27/2005, 5:34 PM:
 >
 > //soap:Envelope/soap:Header/wsa:ReplyTo[@wsu:Id="theReplyTo"]

This does protect the header from being moved.  However,
it does leave open a possible problem when the header is
allowed to be multi-occurance.  The sender may sign and include
one instance of the header.  A MITM may insert addtional
versions of the header before and/or after the signed header.

The client needs to be aware of which was signed and which
was not and to deal with it as appropriate.

Conor




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]