RE: Security Question from Hao He on 2002-08-06 (www-ws-arch@w3.org from August 2002)

From: Hao He <Hao.He@thomson.com.au>
Date: Tue, 6 Aug 2002 16:11:50 +1000
To: "'Krishna Sankar'" <ksankar@cisco.com>, www-ws-arch@w3.org
Message-ID: <686B9E7C8AA57A45AE8DDCC5A81596AB019ED8CA@sydthqems01.INT.TISA.COM.AU>

Is this an ownership issue?

Simply put, you don't link to a schema that is not under right ownership and
security.  In Roger's 
example, the purchaser can simply link to a schema owned by the seller. 

Hao

-----Original Message-----
From: Krishna Sankar [mailto:ksankar@cisco.com]
Sent: Tuesday, August 06, 2002 4:47 AM
To: www-ws-arch@w3.org
Subject: RE: Security Question



Roger,

	Actually a good question.

	a)	Normally, the purchase order, which would be the payload
and based on a schema/namespace. For example Rosettanet PIP3A4 Version x
would say what the qty mean, how one can add the qualifier "each",
"lot",... et al and also what the default value is. If there is no
default value, then the PO would be rejected, .... you get the picture.
The PO would be signed and that is how we assure integrity. Of course,
for confidentiality,  we would encrypt the PO as well.

            In short, the context, in this case the namespace and the
schema would be captured in the message and signed to assure integrity. 

    b)    Reading thru your e-mail, are you talking about an alteration
of the schema at the buyer side ? Were you thinking of creating a PO
using one schema and then sending it out with reference to a similar but
different schema ? BTW, this could happen by mistake as well - for
example create using Version 1.0 and then send with a ref to version
2.0; and extending the contrived example, ver 1.0 says "Each" and 2.0
says "doz" as the default :o(.

		BTW, this is not a case of sending a Version 1.0 message
to a version 2.0 web service because the version 2.0 service would fault
if it cannot handle the semantics of the 1.0 message. This is where
version number plays a big role.

cheers
-----Original Message-----
From: www-ws-arch-request@w3.org [mailto:www-ws-arch-request@w3.org] On
Behalf Of Cutler, Roger (RogerCutler)
Sent: Monday, August 05, 2002 11:18 AM
To: www-ws-arch@w3.org
Subject: Security Question


I've got a question about security that may reflect some misconception
on my part -- but here goes anyway: 
I think that the XML payload of the response from a web service -- or
indeed I suppose the message that invokes it -- may be validated by a
schema.  If so, that schema can add data via defaults and/or fixed
values.  How is this secured?
Let me be more specific with a contrived example:  Suppose we are
purchasing widgets via a web service and in the XML document you specify
"1" for the amount to purchase.  However, suppose the schema has a
default value of "Each" that explains the meaning of the "1".  Now
suppose that either from malicious tampering or through the use of a
schema intended for a different audience that default (which is on the
seller side) is changed to "dozen".  Now the "1" really means 12 items,
which is a lot more expensive.
This is obviously contrived and dumb, but I think it illustrates the
fact that schemas can affect data. 
So how is this secured?  Can the buyer in the context of the message
unambiguously specify what schema must be used for validation and have
some sort of check that it was the right one?  Can it be secured?

Attachments

text/plain attachment: InterScan_Disclaimer.txt

Received on Tuesday, 6 August 2002 02:11:07 UTC