OASIS ebXML Messaging Services TC

 View Only

RE: Threat assessment, some dissent RE: [ebxml-msg] security problemwith ebXML MS

  • 1.  RE: Threat assessment, some dissent RE: [ebxml-msg] security problemwith ebXML MS

    Posted 11-09-2001 13:30
    Jim and Suresh,
    
    In my earlier long message I tried to summarize:
    
    1. what kind of threats
    might be provided
    2. under what transport/packaging conditions
    given the typical processing of
    3. ebXML messages.
    
    I considered a number of possible kinds
    of threats. Apparently Jim thinks it
    is only the threat of misdirection that
    should be of concern. So, 
    
    for that threat, these considerations still
    stand:
    
    1. ebXML messaging processing does
    not need to trust internal MIME content-type
    values.
    2. content-id values, if changed, will almost
    certainly lead to an error condition when
    they are used as part of XMLDsig signatures.
    3. CPA based agreements can be used to:
     a. check that internal mime content-types
        are as expected. MIME error can be thrown
        if enforced.
     b. add digital enveloping that can encrypt the entire
         MIME chunk, including the headers
        (using 1847 security packaging if you like, Jim!)
    
    Given all of this existing apparatus permitting
    strong counters for the situation of MITM header
    tweaking, if you still wish to mandate an
    additional new security mechanism, I urged you
    to hold off until the next iteration. By then,
    maybe XMLEncryption will be stable or other
    security proposals may have emerged that can
    be cited. Maybe a tweak to the mid: or cid: URIs
    that would permit mid: sub-segments-- who knows?
    
    ebXML messaging is IMO not primarily engaged in
    inventing new security solutions and countermeasures,
    but instead is involved in adopting 
    existing stable solutions to achieve
    an acceptable coverage for the standard threats
    (spoofing, alteration, and sniffing). 
    I would rather retrofit to a dedicated
    security groups carefully examined spec.
    than try to throw something together at the last minute
    (and we are at the last minute for 1.1). 
    
    Dale