OASIS ebXML Messaging Services TC

RE: Threat assessment,some dissent RE: [ebxml-msg]securityproblemwithebXML MS

  • 1.  RE: Threat assessment,some dissent RE: [ebxml-msg]securityproblemwithebXML MS

    Posted 11-13-2001 21:23
    That sounds mainly sensible to me. I would
    prefer to list the methods that can
    be used to test whether the received headers
    are legitimate and so counteract the threat.
    
    1. if using CPA, use the information
    in the Packaging element for the
    agreed upon ServiceBinding to see
    that content-types are as they were
    agreed to. 
    2. absent CPA, sender can use
    whatever works as an xmldsig enhancement
    (repeating some/all of the
    headers in an object
    that is signed over, with
    embellishments as needed to
    lead to consensus...)
    3. suggest possible use of a
    digital enveloping technique to
    deter intermediary access.
    
    Dale Moberg