W3C home > Mailing lists > Public > www-ws-arch@w3.org > August 2002

RE: Security Question

From: Ugo Corda <UCorda@SeeBeyond.com>
Date: Mon, 5 Aug 2002 13:59:13 -0700
Message-ID: <C513FB68F8200244B570543EF3FC653708AE35E4@MAIL1.stc.com>
To: "'Cutler, Roger (RogerCutler)'" <RogerCutler@ChevronTexaco.com>, www-ws-arch@w3.org

I think there are a couple of different issues involved here, depending on
the context you are operating in.

- Security: 
If you don't trust the receiver, you are probably in a non-repudiation
situation. You want to be able to show later on that the receiver indeed
received your message and that your message was using a particular schema.
This could be based only on showing the use of a particular namespace by the
sender. But what if the receiver substitutes the schema associated with that
namespace with a different one? Probably to ensure complete non-repudiation
the sender should include the schema with the message itself (e.g. as an
attachment).
All this makes sense, of course, only if the PSVI is created on the
receiving end, otherwise there should be no problems with default values
(which would be generated by the sender and not by the receiver).

- Semantics:
Even if the sender can prove that he used a particular schema, the receiver
could still say that the semantics of the schema/namespace used are
different than the ones the sender understood (after all, schemas only
address syntax, and the semantic interpretation is only hinted to by the
schema, unless there are additional documents to completely clarify the
semantics - e.g. in plain English). This seems to be the age old semantics
problem.

- Versioning:
Assuming that sender and receiver are in good faith, there still might be a
versioning problem. For example, the sender might be using a schema derived
from reading a now obsolete WSDL spec provided by the receiver. In this
situation, the namespace URIs from the old and new schemas should be unique
and different, allowing the receiver to figure out that the sender used an
obsolete schema.


Ugo

-----Original Message-----
From: Cutler, Roger (RogerCutler) [mailto:RogerCutler@ChevronTexaco.com]
Sent: Monday, August 05, 2002 12:17 PM
To: 'Krishna Sankar'; www-ws-arch@w3.org
Subject: RE: Security Question



I think my example was not a good one.  Basically, I am concerned that
schema validation may add to the data in an XML document and thus that there
are two linked "things" -- so how is that linkage made reliable?  That is,
the meaning of the document may be different if a different schema is used
-- either maliciously or accidentally.  So how do the people on both ends of
the message ensure that they are in agreement about what schema is being
used?  It seems to me that you can say "this message is signed so we know
who it is from and that the contents are what was actually sent" -- as far
as the contents that are actually in the document.  What about the contents
that are added by schema validation?  Does one actually include the schema
in the document, so it is signed also?  Seems weird and I don't think people
actually do that.  

If A sends B a message M intended to be validated by Schema Sa and B uses
schema Sb to validate it, is there a way to ensure that Sa=Sb?   Or,
actually, what one REALLY wants to ensure is that 

M + Sa(M) = M + Sb(M),

since we know how to ensure that M is the same on both sides.

Obviously if A and B get together in person and compare their schemas they
can check whether things are OK -- and maybe in some sense in most business
appplications this is what will happen.  But I thought that these web
services guys are thinking in terms of real loosely coupled situations,
where it seems to me that this might be an issue.

-----Original Message-----
From: Krishna Sankar [mailto:ksankar@cisco.com] 
Sent: Monday, August 05, 2002 1:47 PM
To: www-ws-arch@w3.org
Subject: RE: Security Question



Roger,

	Actually a good question.

	a)	Normally, the purchase order, which would be the payload
and based on a schema/namespace. For example Rosettanet PIP3A4 Version x
would say what the qty mean, how one can add the qualifier "each", "lot",...
et al and also what the default value is. If there is no default value, then
the PO would be rejected, .... you get the picture. The PO would be signed
and that is how we assure integrity. Of course, for confidentiality,  we
would encrypt the PO as well.

            In short, the context, in this case the namespace and the schema
would be captured in the message and signed to assure integrity. 

    b)    Reading thru your e-mail, are you talking about an alteration
of the schema at the buyer side ? Were you thinking of creating a PO using
one schema and then sending it out with reference to a similar but different
schema ? BTW, this could happen by mistake as well - for example create
using Version 1.0 and then send with a ref to version 2.0; and extending the
contrived example, ver 1.0 says "Each" and 2.0 says "doz" as the default
:o(.

		BTW, this is not a case of sending a Version 1.0 message
to a version 2.0 web service because the version 2.0 service would fault if
it cannot handle the semantics of the 1.0 message. This is where version
number plays a big role.

cheers
-----Original Message-----
From: www-ws-arch-request@w3.org [mailto:www-ws-arch-request@w3.org] On
Behalf Of Cutler, Roger (RogerCutler)
Sent: Monday, August 05, 2002 11:18 AM
To: www-ws-arch@w3.org
Subject: Security Question


I've got a question about security that may reflect some misconception on my
part -- but here goes anyway: 
I think that the XML payload of the response from a web service -- or indeed
I suppose the message that invokes it -- may be validated by a schema.  If
so, that schema can add data via defaults and/or fixed values.  How is this
secured? Let me be more specific with a contrived example:  Suppose we are
purchasing widgets via a web service and in the XML document you specify "1"
for the amount to purchase.  However, suppose the schema has a default value
of "Each" that explains the meaning of the "1".  Now suppose that either
from malicious tampering or through the use of a schema intended for a
different audience that default (which is on the seller side) is changed to
"dozen".  Now the "1" really means 12 items, which is a lot more expensive.
This is obviously contrived and dumb, but I think it illustrates the fact
that schemas can affect data. 
So how is this secured?  Can the buyer in the context of the message
unambiguously specify what schema must be used for validation and have some
sort of check that it was the right one?  Can it be secured?
Received on Monday, 5 August 2002 16:59:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:25:03 GMT