- From: <noah_mendelsohn@us.ibm.com>
- Date: Sat, 5 Mar 2005 18:33:33 -0500
- To: Rich Salz <rsalz@datapower.com>
- Cc: Mark Baker <distobj@acm.org>, "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>, "www-tag@w3.org" <www-tag@w3.org>
> There is no way to get end-to-end security on HTTP > headers. Put another way, while I can sign a > wsa:To element, there is no way (at least not > standard way; there might be a private shcme I > don't know about) to sign the URL in the POST > command. Agreed. I think what you're giving is an argument not to use a network or "underlying protocol" with insecure routing if it doesn't meet your needs. One way or the other, your SOAP message over HTTP is going to have >some< request ID, and that's what's actually going to cause the message to be delivered. Depending on where in your own software or in the network you fear vulnerabilities, it seems inherent in HTTP and to some degree in IP that if someone can change your request ID before the message is delivered, they can cause it to be misrouted. Once that happens, signatures in the SOAP messages can protect you from imposters and "men in the middle", but they can't cause your original message to be properly delivered. If the worry is that the message is somehow delivered correctly but the request ID is mangled anyway, then one could in principle check it against the secure copy in a signed WSA header, I think. Bottom line: it seems to me that HTTP is the wrong protocol to use if you're worried about attacks on HTTP headers. Given that we're discussing situations where you are using HTTP, I don't see why duplicating the delivery address from the WSA header is any worse than getting it from anywhere else. Given that Rich is a security expert and I'm not, the usual pattern at this point in our discussions that he'll politely explain why I've completely misunderstood the problem. I do feel like I'm missing something. Help is definitely appreciated. Thanks. Noah -------------------------------------- Noah Mendelsohn IBM Corporation One Rogers Street Cambridge, MA 02142 1-617-693-4036 -------------------------------------- Rich Salz <rsalz@datapower.com> 03/04/2005 10:46 AM To: "noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com> cc: Mark Baker <distobj@acm.org>, "public-ws-addressing@w3.org" <public-ws-addressing@w3.org>, "www-tag@w3.org" <www-tag@w3.org> Subject: Re: Minutes of the Web Services Addressing / TAG joint meeting > "underlying" protocol such as HTTP. Duplication has serious downsides, > but also some advantages, and may be a reasonable compromise in some > cases, perhaps this one. There is no way to get end-to-end security on HTTP headers. Put another way, while I can sign a wsa:To element, there is no way (at least not standard way; there might be a private shcme I don't know about) to sign the URL in the POST command. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
Received on Sunday, 6 March 2005 00:08:53 UTC