W3C home > Mailing lists > Public > www-xkms-ws@w3.org > November 2001

RE: Correlation/Protection (Was: Re: XKMS)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Wed, 28 Nov 2001 08:16:31 -0800
Message-ID: <2F3EC696EAEED311BB2D009027C3F4F40586988F@vhqpostal.verisign.com>
To: "'stephen.farrell@baltimore.ie'" <stephen.farrell@baltimore.ie>, "'www-xkms-ws@w3c.org'" <www-xkms-ws@w3c.org>
The same thought (digest of the request) had occurred to me simultaneously,
only I was typing up the note. The nice feature of that approach is that it
makes it much harder for a pinhead to code the interface in the wrong way so
that there is an implicit dependence on the authenticity of the request.

I think that the scope of the digest would be the body of the SOAP message.
i would like to see the idea raised at some point to the level of a general
SOAP security mechanism since the problem is pretty general.

	Phill

Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227


> -----Original Message-----
> From: Stephen Farrell [mailto:stephen.farrell@baltimore.ie]
> Sent: Wednesday, November 28, 2001 5:05 AM
> To: 'www-xkms-ws@w3c.org'
> Subject: Correlation/Protection (Was: Re: XKMS)
> 
> 
> 
> (Changed the subject line to split two threads.)
> 
> I'd be a bit worried that digesting the entire message would 
> run into proxying/SOAP wrapping issues.
> 
> Do we need to be a bit more specific about what's digested?
> 
> Stephen.
> 
> 
> > Mike Just wrote:
> > 
> > That sounds like a good idea. One might argue that XKMS 
> already has the <Respond> element for
> > returning elements sent as part of the request but 
> <Respond> doesn't cover items such as the
> > Transaction ID and the service URL.  Phill's 
> <SigningContext> element (from
> > 
> http://lists.w3.org/Archives/Public/www-xkms-ws/2001Nov/0065.h
> tml) would add these items. However,
> > <Respond> doesn't return additional elements such as 
> <KeyId> that might be sent as part of a
> > <Query>. It seems safest to allow the return of the hash of 
> the entire request (or else someone
> > will likely break/attack any partial solution).
> > 
> > As for how the client requests this, maybe it could be 
> another <Respond> option; something like
> > <Respond>
> >         RequestReference
> > </Respond>
> > which would return an XMLDSig reference element computed 
> over the entire client request.
> > Phill's <SigningContext> would still be required I believe; 
> at least for the service URL (unless
> > we decide to include this as part of the request schema as well).
> > 
> > (I might have thought that it would be mandatory to include 
> the RequestReference for the most
> > secure operation, but if the session were protected by TLS, 
> for example, then some correspondence
> > between the request and response would already be provided. 
> The spec would have to indicate these
> > security issues/options of course.)
> > 
> > Mike
> > 
> > > -----Original Message-----
> > > From: Rich Salz [mailto:rsalz@zolera.com]
> > > Sent: Tuesday, November 27, 2001 11:53 AM
> > > To: Mike Just
> > > Cc: 'www-xkms-ws@w3c.org'
> > > Subject: Re: XKMS
> > >
> > >
> > > That makes sense -- the server can return an element 
> XMLDSIG Reference
> > > element for the client request -- but how can the client 
> indicate it
> > > wants that? Or is that left as a quality of implementation issue?
> > >       /r$
> > >
> > > --
> > > Zolera Systems, Your Key to Online Integrity
> > > Securing Web services: XML, SOAP, Dig-sig, Encryption
> > > http://www.zolera.com
> > >
> 
> -- 
> ____________________________________________________________
> Stephen Farrell         				   
> Baltimore Technologies,   tel: (direct line) +353 1 881 6716
> 39 Parkgate Street,                     fax: +353 1 881 7000
> Dublin 8.                mailto:stephen.farrell@baltimore.ie
> Ireland                             http://www.baltimore.com
> 



Received on Wednesday, 28 November 2001 11:19:50 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 13:51:42 EDT