W3C home > Mailing lists > Public > public-ws-addressing@w3.org > November 2004

Re: Composibility problems with refps

From: Rich Salz <rsalz@datapower.com>
Date: Wed, 24 Nov 2004 10:19:37 -0500
Message-ID: <41A4A689.4040701@datapower.com>
To: Francisco Curbera <curbera@us.ibm.com>
CC: public-ws-addressing@w3.org

> As for IBM's security concerns, so far our experts tell us ref. props as
> SOAP headers are ok as long as we consistently sign everything, which you
> need to do in any case.

Have you check this with Tony? :)

The problem is that you cannot consistently sign everything in a SOAP 
1.2 message (and 1.1 is trusting to luck) -- you need to "normalize" the 
content of the SOAP Header contents; see 
http://www.w3.org/TR/2003/NOTE-soap12-n11n-20031008/

You can sign "all" the individual headers (each one is a separate 
Reference within the Signature document), but that's not quite the same 
thing, because an adversary could insert an unsigned header in the 
message.  In order to protect against this, your ws-addressing layer 
needs to tell your security layer about *all* the possible refs and 
params, so that the security layer can make sure that there are no 
unsigned refs or params. Or the security layer has to tell the ws-addr 
(or the application) which headers were signed and which ones weren't so 
that it can do the proper checks.

Either way, that's a rather close coupling between layers.  Because of 
this, I'm tending to favor that refs and params *not* being separate 
soap headers.  Or that within the EndpointReference you have href/id 
links out to the specific header elements.
	/r$
-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html
Received on Wednesday, 24 November 2004 15:12:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:59 GMT