OASIS ebXML Messaging Services TC

Re: [ebxml-msg] security problem with ebXML MS

  • 1.  Re: [ebxml-msg] security problem with ebXML MS

    Posted 11-07-2001 10:03
    It is interesting, and we should put it on the
    f2f agenda for discussion, but I have some comments.
    
    This proposal seems to imply that MIME processing/parsing
    of the message is limited exclusively to the first body
    part of the multipart/related MIME object (the SOAP Envelope)
    and that all subsequent processing of the multipart/related
    object is driven by the contents of the MIME header info
    contained within the Manifest.
    
    No MIME processor/parser of which I am aware works in this
    manner. Thus, it would seem that this proposal is suggesting
    that in order to process a message, a new parser would be
    required. I'm not sure that this is desireable. In addition,
    the issue raised suggests that ALL MIME headers, including
    those that comprise the multipart/related "envelope" and
    those of the start object (the SOAP Envelope) would need
    to be protected, or maybe I'm missing something. I don't see
    how this proposal addresses the potential that these MIME
    headers might also become compromised.
    
    Further, I don't think that it is the responsibility of
    the OASIS ebXML Messaging TC to specify MIME header C14N. I would
    think that if this s to be done at all that the ownership
    and responsibility for this would belong squarely in the IETF camp.
    
    Cheers,
    
    Chris
    
    David Fischer wrote:
    
    > This is very good and we should include it on the F2F agenda.
    > 
    > Regards,
    > 
    > David Fischer
    > Drummond Group.
    > 
    >