OASIS ebXML Messaging Services TC

Re: [ebxml-msg] security problem with ebXML MS

  • 1.  Re: [ebxml-msg] security problem with ebXML MS

    Posted 11-07-2001 14:42
    David,
    
    This idea should be explored further. The problem I am having
    is: how do you reference the MIME headers as a URI? I don't
    think that the same URI (whether cid or content-location URI)
    can be used...
    
    If we can solve that conundrum, then we may have something.
    
    Cheers,
    
    Chris
    
    David Fischer wrote:
    
    > I would like to suggest a variation on Suresh's idea.
    > 
    > What if we add a second Reference in the ds:Signature for 'each' payload so that
    > there would be two references to the same cid, for each payload.  I looked in
    > the dSig spec and there doesn't seem to be any prohibition on this.
    > 
    > The first reference would be to the payload as it has always been with whatever
    > canonicalization or transforms are required.  The second reference would be to
    > the MIME headers.  Suresh's canonicalization of the MIME headers would still be
    > required but we wouldn't have to copy the MIME headers into the Manifest
    > (minimal change to the spec).  We would still have to define that
    > Canonicalization Algorithm that Suresh described.
    > 
    > I don't know if this is better or worse but it is another option.
    > 
    > I'll confess, this is actually Rik's idea but I kind of like it.
    > 
    > Regards,
    > 
    > David Fischer
    > Drummond Group.
    > 
    >