W3C home > Mailing lists > Public > www-ws-arch@w3.org > August 2002

RE: Security Question

From: Cutler, Roger (RogerCutler) <RogerCutler@ChevronTexaco.com>
Date: Mon, 5 Aug 2002 12:17:18 -0700
Message-ID: <7FCB5A9F010AAE419A79A54B44F3718E2EAE6E@bocnte2k3.boc.chevrontexaco.net>
To: "'Krishna Sankar'" <ksankar@cisco.com>, www-ws-arch@w3.org

I think my example was not a good one.  Basically, I am concerned that
schema validation may add to the data in an XML document and thus that there
are two linked "things" -- so how is that linkage made reliable?  That is,
the meaning of the document may be different if a different schema is used
-- either maliciously or accidentally.  So how do the people on both ends of
the message ensure that they are in agreement about what schema is being
used?  It seems to me that you can say "this message is signed so we know
who it is from and that the contents are what was actually sent" -- as far
as the contents that are actually in the document.  What about the contents
that are added by schema validation?  Does one actually include the schema
in the document, so it is signed also?  Seems weird and I don't think people
actually do that.  

If A sends B a message M intended to be validated by Schema Sa and B uses
schema Sb to validate it, is there a way to ensure that Sa=Sb?   Or,
actually, what one REALLY wants to ensure is that 

M + Sa(M) = M + Sb(M),

since we know how to ensure that M is the same on both sides.

Obviously if A and B get together in person and compare their schemas they
can check whether things are OK -- and maybe in some sense in most business
appplications this is what will happen.  But I thought that these web
services guys are thinking in terms of real loosely coupled situations,
where it seems to me that this might be an issue.

-----Original Message-----
From: Krishna Sankar [mailto:ksankar@cisco.com] 
Sent: Monday, August 05, 2002 1:47 PM
To: www-ws-arch@w3.org
Subject: RE: Security Question



Roger,

	Actually a good question.

	a)	Normally, the purchase order, which would be the payload
and based on a schema/namespace. For example Rosettanet PIP3A4 Version x
would say what the qty mean, how one can add the qualifier "each", "lot",...
et al and also what the default value is. If there is no default value, then
the PO would be rejected, .... you get the picture. The PO would be signed
and that is how we assure integrity. Of course, for confidentiality,  we
would encrypt the PO as well.

            In short, the context, in this case the namespace and the schema
would be captured in the message and signed to assure integrity. 

    b)    Reading thru your e-mail, are you talking about an alteration
of the schema at the buyer side ? Were you thinking of creating a PO using
one schema and then sending it out with reference to a similar but different
schema ? BTW, this could happen by mistake as well - for example create
using Version 1.0 and then send with a ref to version 2.0; and extending the
contrived example, ver 1.0 says "Each" and 2.0 says "doz" as the default
:o(.

		BTW, this is not a case of sending a Version 1.0 message
to a version 2.0 web service because the version 2.0 service would fault if
it cannot handle the semantics of the 1.0 message. This is where version
number plays a big role.

cheers
-----Original Message-----
From: www-ws-arch-request@w3.org [mailto:www-ws-arch-request@w3.org] On
Behalf Of Cutler, Roger (RogerCutler)
Sent: Monday, August 05, 2002 11:18 AM
To: www-ws-arch@w3.org
Subject: Security Question


I've got a question about security that may reflect some misconception on my
part -- but here goes anyway: 
I think that the XML payload of the response from a web service -- or indeed
I suppose the message that invokes it -- may be validated by a schema.  If
so, that schema can add data via defaults and/or fixed values.  How is this
secured? Let me be more specific with a contrived example:  Suppose we are
purchasing widgets via a web service and in the XML document you specify "1"
for the amount to purchase.  However, suppose the schema has a default value
of "Each" that explains the meaning of the "1".  Now suppose that either
from malicious tampering or through the use of a schema intended for a
different audience that default (which is on the seller side) is changed to
"dozen".  Now the "1" really means 12 items, which is a lot more expensive.
This is obviously contrived and dumb, but I think it illustrates the fact
that schemas can affect data. 
So how is this secured?  Can the buyer in the context of the message
unambiguously specify what schema must be used for validation and have some
sort of check that it was the right one?  Can it be secured?
Received on Monday, 5 August 2002 15:18:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:25:03 GMT