W3C home > Mailing lists > Public > public-ws-addressing@w3.org > January 2005

RE: Problems with the SOAP binding

From: Jonathan Marsh <jmarsh@microsoft.com>
Date: Mon, 3 Jan 2005 11:13:50 -0800
Message-ID: <7DA77BF2392448449D094BCEF67569A5060FB6CB@RED-MSG-30.redmond.corp.microsoft.com>
To: "Rich Salz" <rsalz@datapower.com>
Cc: <public-ws-addressing@w3.org>

Like I said, I'm not a security expert, but I'm not aware of anything in
WSS that implies that all security features must be expressed through
WSS.  Do you have a reference to the part of WSS that you're concerned
about?

Expanding on my earlier post, to statelessly secure a refP against
modification, one could:
- insert within the refP itself the security measures such as 
  a DSig that enable the service to verify that the refP hasn't 
  been changed since issued, or
- insert a second refP containing security measures and pointing to
  the header (or headers) to be secured.

This is similar to statelessly securing HTTP cookies.  The cookie
transfer mechanism is defined in a general spec but how cookies ensure
clients don't modify their contents is out-of-scope.  Just as you don't
use TLS to prevent clients from altering cookies you don't use WSS to
prevent clients from altering headers.

ID attribute collisions seem indeed to be a problem, regardless of
whether refPs are wrapped or not - this is a general problem when
combining chunks of XML.  We should look at this more closely, but on a
practical level I might try to make sure any ID values I stuck in my
refPs were unlikely to cause conflicts, e.g. something like an embedded
GUID value xml:id="guid-1234-1234-1234-12345678".


> -----Original Message-----
> From: Rich Salz [mailto:rsalz@datapower.com]
> Sent: Thursday, December 23, 2004 1:36 PM
> To: Jonathan Marsh
> Cc: tom@coastin.com; Srinivas, Davanum M; public-ws-addressing@w3.org
> Subject: Re: Problems with the SOAP binding
> 
> > Um, wouldn't the wrapped problem "solve" this by hiding the security
> > stuff in a place where the SOAP security processor can't find it?
> 
> That's the $10,000 question.  Is the intent of WS-Security that all
> signature functions related to securing the SOAP message be part of
> the
> WSS header?  If so, problems.  If not, then a wrapper works.
> 
> Still got the ID attribute issue, tho.
> 
> 
> 	/r$
> 
> --
> Rich Salz, Chief Security Architect
> DataPower Technology
> http://www.datapower.com
> XS40 XML Security Gateway
> http://www.datapower.com/products/xs40.html
> XML Security Overview
> http://www.datapower.com/xmldev/xmlsecurity.html
Received on Monday, 3 January 2005 19:14:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:35:01 GMT