OASIS ebXML Messaging Services TC

RE: [ebxml-msg] security problem with ebXML MS

  • 1.  RE: [ebxml-msg] security problem with ebXML MS

    Posted 11-08-2001 01:33
    On Wed, 7 Nov 2001, David Fischer wrote: I would like to suggest a variation on Suresh's idea. What if we add a second Reference in the ds:Signature for 'each' payload so that there would be two references to the same cid, for each payload. I looked in the dSig spec and there doesn't seem to be any prohibition on this. The first reference would be to the payload as it has always been with whatever canonicalization or transforms are required. The second reference would be to the MIME headers. Suresh's canonicalization of the MIME headers would still be required but we wouldn't have to copy the MIME headers into the Manifest (minimal change to the spec). We would still have to define that Canonicalization Algorithm that Suresh described. To make this more explicit I think the second reference -- the one that refers to the headers -- should include something that includes it refers to the headers not the payload. There is an optional ID and Type attribute defined. Can we give one of those a value that would explicitly indicate to which data it was referring? Jim